CVE-2026-42349

Name of the Vulnerable Software and Affected Versions @clerk/clerk-js versions prior to 5.125.10 @clerk/clerk-js versions prior to 6.7.5 @clerk/shared (affected versions not specified) @clerk/nextjs (affected versions not specified) @clerk/backend (affected versions not specified)

Description Authorization predicates including has(), auth.protect(), and related functions in several SDKs can incorrectly return true during combined authorization checks. This allows users who do not meet all required conditions to perform gated actions. The bypass occurs when a reverification check is combined with role, permission, feature, or plan, or when a billing check (feature or plan) is combined with a role or permission check. Additionally, in @clerk/nextjs, auth.protect() silently discards authorization parameters if the argument object also contains unauthenticatedUrl, unauthorizedUrl, or token.

Recommendations Update @clerk/clerk-js to version 5.125.10 or 6.7.5. As a temporary workaround, split combined has() or auth.protect() calls into sequential single-condition checks. Restrict the use of combined authorization parameters in auth.protect() within @clerk/nextjs when using unauthenticatedUrl, unauthorizedUrl, or token until the package is updated.