Cyber Resilience

CVE-2026-42349

HighUpdated

Published: 11 May 2026

Published
11 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 15.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42349 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Clerk Clerk\/Astro. Its CVSS base score is 7.6 (High).

Operationally, ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a…

more

gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

Affected Assets

clerk
clerk\/astro
2.0.0 — 2.17.11 · 3.0.0 — 3.0.18
clerk
clerk\/backend
2.0.0 — 2.33.3 · 3.0.0 — 3.2.14
clerk
clerk\/chrome-extension
1.3.5 — 2.9.15 · 3.0.0 — 3.1.15
clerk
clerk\/clerk-expo
2.2.11 — 2.19.36
clerk
clerk\/clerk-js
5.22.0 — 5.125.10 · 6.0.0 — 6.7.5
clerk
clerk\/clerk-react
5.9.0 — 5.61.6
clerk
clerk\/expo
3.0.0 — 3.2.2
clerk
clerk\/express
0.1.0 — 1.7.79 · 2.0.0 — 2.1.6
clerk
clerk\/fastify
1.0.42 — 2.6.31 · 3.0.0 — 3.1.16
clerk
clerk\/hono
0.0.2 — 0.1.16
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

References