PT-2026-35082 · Clerk · @Clerk/Astro+3
Published
2026-04-16
·
Updated
2026-05-21
·
CVE-2026-41248
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
@clerk/astro versions prior to 1.5.7
@clerk/astro versions prior to 2.17.10
@clerk/astro versions prior to 3.0.15
@clerk/nextjs versions prior to 5.7.6
@clerk/nextjs versions prior to 6.39.2
@clerk/nextjs versions prior to 7.2.1
@clerk/nuxt versions prior to 1.13.28
@clerk/nuxt versions prior to 2.2.2
@clerk/shared versions prior to 2.22.1
@clerk/shared versions prior to 3.47.4
@clerk/shared versions prior to 4.8.1
Description
The
createRouteMatcher function in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed using specifically crafted requests. This allows requests to skip middleware gating and access downstream handlers.Recommendations
Update @clerk/astro to version 1.5.7, 2.17.10, or 3.0.15.
Update @clerk/nextjs to version 5.7.6, 6.39.2, or 7.2.1.
Update @clerk/nuxt to version 1.13.28 or 2.2.2.
Update @clerk/shared to version 2.22.1, 3.47.4, or 4.8.1.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Clerk/Astro
@Clerk/Nextjs
@Clerk/Nuxt
@Clerk/Shared