{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42349","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-26T13:26:14.515Z","datePublished":"2026-05-11T16:08:27.869Z","dateUpdated":"2026-05-14T18:19:38.735Z"},"containers":{"cna":{"title":"Clerk: Authorization bypass when combining organization, billing, or reverification checks","problemTypes":[{"descriptions":[{"cweId":"CWE-754","lang":"en","description":"CWE-754: Improper Check for Unusual or Exceptional Conditions","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-863","lang":"en","description":"CWE-863: Incorrect Authorization","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":7.6,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c","tags":["x_refsource_CONFIRM"],"url":"https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"}],"affected":[{"vendor":"clerk","product":"javascript","versions":[{"version":">= 5.22.0, < 5.125.10","status":"affected"},{"version":">= 6.0.0, < 6.7.5","status":"affected"}]},{"vendor":"@clerk","product":"shared","versions":[{"version":">= 3.0.0, <= 3.47.4","status":"affected"},{"version":">= 4.0.0, <= 4.8.2","status":"affected"}]},{"vendor":"@clerk","product":"backend","versions":[{"version":">= 2.0.0, <= 2.33.2","status":"affected"},{"version":">= 3.0.0, <= 3.2.13","status":"affected"}]},{"vendor":"@clerk","product":"nextjs","versions":[{"version":">= 6.0.0, <= 6.39.2","status":"affected"},{"version":">= 7.0.0, <= 7.2.3","status":"affected"}]},{"vendor":"@clerk","product":"clerk-react","versions":[{"version":">= 5.9.0, <= 5.61.5","status":"affected"}]},{"vendor":"@clerk","product":"react","versions":[{"version":">= 6.0.0, <= 6.4.2","status":"affected"}]},{"vendor":"@clerk","product":"vue","versions":[{"version":">= 1.0.0, <= 1.17.20","status":"affected"},{"version":">= 2.0.0, <= 2.0.15","status":"affected"}]},{"vendor":"@clerk","product":"astro","versions":[{"version":">= 2.0.0, <= 2.17.10","status":"affected"},{"version":">= 3.0.0, <= 3.0.17","status":"affected"}]},{"vendor":"@clerk","product":"nuxt","versions":[{"version":">= 1.0.0, <= 1.13.28","status":"affected"},{"version":">= 2.0.0, <= 2.2.4","status":"affected"}]},{"vendor":"@clerk","product":"clerk-expo","versions":[{"version":">= 2.2.11, <= 2.19.35","status":"affected"}]},{"vendor":"@clerk","product":"expo","versions":[{"version":">= 3.0.0, <= 3.2.1","status":"affected"}]},{"vendor":"@clerk","product":"react-router","versions":[{"version":">= 0.0.1, <= 2.4.12","status":"affected"},{"version":">= 3.0.0, <= 3.1.3","status":"affected"}]},{"vendor":"@clerk","product":"tanstack-react-start","versions":[{"version":">= 0.0.1, <= 0.29.10","status":"affected"},{"version":">= 1.0.0, <= 1.1.3","status":"affected"}]},{"vendor":"@clerk","product":"chrome-extension","versions":[{"version":">= 1.3.5, <= 2.9.14","status":"affected"},{"version":">= 3.0.0, <= 3.1.14","status":"affected"}]},{"vendor":"@clerk","product":"fastify","versions":[{"version":">= 1.0.42, <= 2.6.30","status":"affected"},{"version":">= 3.0.0, <= 3.1.15","status":"affected"}]},{"vendor":"@clerk","product":"express","versions":[{"version":">= 0.1.0, <= 1.7.78","status":"affected"},{"version":">= 2.0.0, <= 2.1.5","status":"affected"}]},{"vendor":"@clerk","product":"hono","versions":[{"version":">= 0.0.2, <= 0.1.15","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-11T16:08:27.869Z"},"descriptions":[{"lang":"en","value":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in  @clerk/clerk-js 5.125.10 and 6.7.5."}],"source":{"advisory":"GHSA-w24r-5266-9c3c","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-14T18:18:41.752602Z","id":"CVE-2026-42349","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-14T18:19:38.735Z"}}]}}