CVE-2026-41248

critical

Published 2026-04-24 · Modified 2026-05-05

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.1

Description

Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Predictions

Exploit likelihood

94%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	@clerk/nextjs	`>=5.0.0,<5.7.6`	`5.7.6`
npm	@clerk/nuxt	`>=1.1.0,<1.13.28`	`1.13.28`
npm	@clerk/astro	`>=0.0.1,<1.5.7`	`1.5.7`
npm	@clerk/shared	`>=2.20.17,<2.22.1`	`2.22.1`
npm	@clerk/nextjs	`>=6.0.0-snapshot.vb87a27f,<6.39.2`	`6.39.2`
npm	@clerk/nextjs	`>=7.0.0,<7.2.1`	`7.2.1`
npm	@clerk/nuxt	`>=2.0.0,<2.2.2`	`2.2.2`
npm	@clerk/astro	`>=2.0.0-snapshot.v20241206174604,<2.17.10`	`2.17.10`
npm	@clerk/astro	`>=3.0.0,<3.0.15`	`3.0.15`
npm	@clerk/shared	`>=3.0.0-canary.v20250225091530,<3.47.4`	`3.47.4`
npm	@clerk/shared	`>=4.0.0,<4.8.1`	`4.8.1`

References

CWEs

CWE-436 CWE-863

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.