VIR Vulnerability Intelligence Relay

CVE-2026-42349

high
Published 2026-05-11 ยท Modified 2026-05-13
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
7.6
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
VIR risk
8.0

Description

Clerk has an authorization bypass when combining organization, billing, or reverification checks

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Package impact
EcosystemPackageVulnerableFixed
npm npm@clerk/shared>=3.0.0,<3.47.53.47.5
npm npm@clerk/shared>=4.0.0,<4.8.34.8.3
npm npm@clerk/backend>=2.0.0,<2.33.32.33.3
npm npm@clerk/backend>=3.0.0,<3.2.143.2.14
npm npm@clerk/nextjs>=6.0.0,<6.39.36.39.3
npm npm@clerk/nextjs>=7.0.0,<7.2.47.2.4
npm npm@clerk/clerk-js>=5.22.0,<5.125.105.125.10
npm npm@clerk/clerk-js>=6.0.0,<6.7.56.7.5
npm npm@clerk/clerk-react>=5.9.0,<5.61.65.61.6
npm npm@clerk/react>=6.0.0,<6.4.36.4.3
npm npm@clerk/vue>=1.0.0,<1.17.211.17.21
npm npm@clerk/vue>=2.0.0,<2.0.162.0.16
npm npm@clerk/astro>=2.0.0,<2.17.112.17.11
npm npm@clerk/astro>=3.0.0,<3.0.183.0.18
npm npm@clerk/nuxt>=1.0.0,<1.13.291.13.29
npm npm@clerk/nuxt>=2.0.0,<2.2.52.2.5
npm npm@clerk/clerk-expo>=2.2.11,<2.19.362.19.36
npm npm@clerk/expo>=3.0.0,<3.2.23.2.2
npm npm@clerk/react-router>=0.0.1,<2.4.132.4.13
npm npm@clerk/react-router>=3.0.0,<3.1.43.1.4
npm npm@clerk/tanstack-react-start>=0.0.1,<0.29.110.29.11
npm npm@clerk/tanstack-react-start>=1.0.0,<1.1.41.1.4
npm npm@clerk/chrome-extension>=1.3.5,<2.9.152.9.15
npm npm@clerk/chrome-extension>=3.0.0,<3.1.153.1.15
npm npm@clerk/fastify>=1.0.42,<2.6.312.6.31
npm npm@clerk/fastify>=3.0.0,<3.1.163.1.16
npm npm@clerk/express>=0.1.0,<1.7.791.7.79
npm npm@clerk/express>=2.0.0,<2.1.62.1.6
npm npm@clerk/hono>=0.0.2,<0.1.160.1.16
npm NPM@clerk/hono>= 0.0.2, <= 0.1.150.1.16
npm NPM@clerk/express>= 2.0.0, <= 2.1.52.1.6
npm NPM@clerk/express>= 0.1.0, <= 1.7.781.7.79
npm NPM@clerk/fastify>= 3.0.0, <= 3.1.153.1.16
npm NPM@clerk/fastify>= 1.0.42, <= 2.6.302.6.31
npm NPM@clerk/chrome-extension>= 3.0.0, <= 3.1.143.1.15
npm NPM@clerk/chrome-extension>= 1.3.5, <= 2.9.142.9.15
npm NPM@clerk/tanstack-react-start>= 1.0.0, <= 1.1.31.1.4
npm NPM@clerk/tanstack-react-start>= 0.0.1, <= 0.29.100.29.11
npm NPM@clerk/react-router>= 3.0.0, <= 3.1.33.1.4
npm NPM@clerk/react-router>= 0.0.1, <= 2.4.122.4.13
npm NPM@clerk/expo>= 3.0.0, <= 3.2.13.2.2
npm NPM@clerk/clerk-expo>= 2.2.11, <= 2.19.352.19.36
npm NPM@clerk/nuxt>= 2.0.0, <= 2.2.42.2.5
npm NPM@clerk/nuxt>= 1.0.0, <= 1.13.281.13.29
npm NPM@clerk/astro>= 3.0.0, <= 3.0.173.0.18
npm NPM@clerk/astro>= 2.0.0, <= 2.17.102.17.11
npm NPM@clerk/vue>= 2.0.0, <= 2.0.152.0.16
npm NPM@clerk/vue>= 1.0.0, <= 1.17.201.17.21
npm NPM@clerk/react>= 6.0.0, <= 6.4.26.4.3
npm NPM@clerk/clerk-react>= 5.9.0, <= 5.61.55.61.6
npm NPM@clerk/clerk-js>= 6.0.0, <= 6.7.46.7.5
npm NPM@clerk/clerk-js>= 5.22.0, <= 5.125.95.125.10
npm NPM@clerk/nextjs>= 7.0.0, <= 7.2.37.2.4
npm NPM@clerk/nextjs>= 6.0.0, <= 6.39.26.39.3
npm NPM@clerk/backend>= 3.0.0, <= 3.2.133.2.14
npm NPM@clerk/backend>= 2.0.0, <= 2.33.22.33.3
npm NPM@clerk/shared>= 4.0.0, <= 4.8.24.8.3
npm NPM@clerk/shared>= 3.0.0, <= 3.47.43.47.5

References

CWEs

CWE-754 CWE-863

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.