CVE-2026-34076
Published: 01 April 2026
Summary
CVE-2026-34076 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user-supplied request paths in the clerkFrontendApiProxy function to block SSRF exploitation that sends the Clerk-Secret-Key to attacker-controlled servers.
Monitors and controls outbound communications at system boundaries to restrict the proxy from connecting to unauthorized external attacker servers.
Enforces information flow control policies to prevent the proxy function from initiating unauthorized requests carrying sensitive keys to external destinations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Clerk proxy enables initial access via public app exploitation (T1190) and direct theft of application secret key as access token (T1528).
NVD Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5,…
more
the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Deeper analysisAI
CVE-2026-34076 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in the clerkFrontendApiProxy function within the @clerk/backend package of Clerk JavaScript, the official JavaScript repository for Clerk authentication. It affects @clerk/hono versions from 0.1.0 up to but not including 0.1.5, @clerk/express versions from 2.0.0 up to but not including 2.0.7, @clerk/backend versions from 3.0.0 up to but not including 3.2.3, and @clerk/fastify versions from 3.1.0 up to but not including 3.1.5. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-04-01.
An unauthenticated attacker can exploit this vulnerability by crafting a request path that manipulates the proxy function, causing it to send the application's sensitive Clerk-Secret-Key to a server under the attacker's control. This enables potential compromise of authentication secrets, which could lead to unauthorized access or further attacks on Clerk-integrated applications.
The vulnerability has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f.
Details
- CWE(s)