{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/@clerk/fastify/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@clerk/shared","@clerk/backend","@clerk/nextjs","@clerk/clerk-js","@clerk/clerk-react","@clerk/react","@clerk/vue","@clerk/astro","@clerk/nuxt","@clerk/clerk-expo","@clerk/expo","@clerk/react-router","@clerk/tanstack-react-start","@clerk/chrome-extension","@clerk/fastify","@clerk/express","@clerk/hono"],"_cs_severities":["high"],"_cs_tags":["authorization","bypass","clerk","cve-2026-42349"],"_cs_type":"advisory","_cs_vendors":["Clerk"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability has been identified in Clerk\u0026rsquo;s authorization predicates (\u003ccode\u003ehas()\u003c/code\u003e and \u003ccode\u003eauth.protect()\u003c/code\u003e) across multiple SDKs, including \u003ccode\u003e@clerk/shared\u003c/code\u003e, \u003ccode\u003e@clerk/nextjs\u003c/code\u003e, and \u003ccode\u003e@clerk/backend\u003c/code\u003e. This flaw, reported on April 18, 2026, and patched on April 22, 2026, can lead to incorrect authorization decisions when combining multiple authorization dimensions (e.g., reverification with role). Specifically, the predicates may return \u003ccode\u003etrue\u003c/code\u003e even if the user does not satisfy all required conditions, potentially allowing unauthorized access to gated actions. A secondary bypass exists in \u003ccode\u003e@clerk/nextjs\u003c/code\u003e, where \u003ccode\u003eauth.protect()\u003c/code\u003e silently discards authorization parameters under certain conditions. The vulnerability affects applications using specific combinations of authorization checks, emphasizing the need for immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application utilizing affected Clerk packages and vulnerable authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker targets an endpoint protected by a combined authorization check (e.g., requiring a specific role and reverification).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request that satisfies one, but not all, of the authorization conditions.\u003c/li\u003e\n\u003cli\u003eDue to the bypass vulnerability, the \u003ccode\u003ehas()\u003c/code\u003e or \u003ccode\u003eauth.protect()\u003c/code\u003e predicate incorrectly returns \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eIn the case of the \u003ccode\u003e@clerk/nextjs\u003c/code\u003e bypass, the attacker might exploit the silent discarding of authorization parameters when \u003ccode\u003eunauthenticatedUrl\u003c/code\u003e, \u003ccode\u003eunauthorizedUrl\u003c/code\u003e, or \u003ccode\u003etoken\u003c/code\u003e are also present in the \u003ccode\u003eauth.protect()\u003c/code\u003e call, effectively bypassing authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as modifying data or accessing restricted areas of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to unauthorized access to sensitive resources and functionalities within applications using Clerk for authentication and authorization. This could result in data breaches, privilege escalation, and other security incidents. The vulnerability affects a wide range of Clerk packages, potentially impacting a significant number of applications relying on Clerk for access control. Immediate patching is crucial to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the latest patch release of the consuming app\u0026rsquo;s framework package as specified in the advisory to remediate CVE-2026-42349.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, implement the suggested workaround of splitting combined \u003ccode\u003ehas()\u003c/code\u003e or \u003ccode\u003eauth.protect()\u003c/code\u003e calls into sequential single-condition checks as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eClerkAuthProtectBypass\u003c/code\u003e to detect potential exploitation attempts by monitoring for calls to \u003ccode\u003eauth.protect\u003c/code\u003e that include \u003ccode\u003eunauthenticatedUrl\u003c/code\u003e, \u003ccode\u003eunauthorizedUrl\u003c/code\u003e, or \u003ccode\u003etoken\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eClerkCombinedAuthCheckBypass\u003c/code\u003e to identify suspicious process creation events that may indicate unauthorized access due to the authorization bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:20:02Z","date_published":"2026-04-30T18:20:02Z","id":"/briefs/2026-04-clerk-auth-bypass/","summary":"Clerk has an authorization bypass vulnerability in multiple packages where the `has()` and `auth.protect()` predicates can incorrectly return true, potentially allowing unauthorized actions.","title":"Clerk Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-clerk-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — @Clerk/Fastify","version":"https://jsonfeed.org/version/1.1"}