{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/middleware-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["route-bypass","middleware-vulnerability","javascript-sdk"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the \u003ccode\u003e@clerk/nextjs\u003c/code\u003e, \u003ccode\u003e@clerk/nuxt\u003c/code\u003e, and \u003ccode\u003e@clerk/astro\u003c/code\u003e JavaScript SDKs, specifically within the \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e function. This flaw, reported on April 13, 2026, and patched by April 15, 2026, allows attackers to craft specific HTTP requests that bypass the middleware-based route protection implemented using \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e. This bypass allows unauthenticated or unauthorized users to access routes intended to be protected by the middleware, potentially leading to information disclosure or unauthorized actions if proper authentication checks are not implemented further down the application stack. The vulnerability affects applications using versions prior to the patched versions listed below.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of \u003ccode\u003e@clerk/nextjs\u003c/code\u003e, \u003ccode\u003e@clerk/nuxt\u003c/code\u003e, or \u003ccode\u003e@clerk/astro\u003c/code\u003e with middleware route protection implemented using \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request designed to exploit the vulnerability in \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e, effectively bypassing the intended route matching logic.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the application, targeting a route protected by the vulnerable middleware.\u003c/li\u003e\n\u003cli\u003eDue to the bypass, the request proceeds past the middleware gate, reaching the downstream route handler (API route, server component, etc.).\u003c/li\u003e\n\u003cli\u003eIf the downstream route handler lacks sufficient authentication or authorization checks, the attacker gains unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions within the application based on the bypassed route, such as accessing sensitive data or triggering unintended functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt further exploitation or lateral movement within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows attackers to bypass intended route protections. The impact is highly dependent on the application\u0026rsquo;s design. If applications solely rely on \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e for route protection and lack additional authentication checks in route handlers or server components, the consequences could be severe, including unauthorized access to sensitive data or functionality. While the vulnerability does not compromise existing sessions or allow for user impersonation, it weakens the overall security posture. It is important to note that external APIs which authenticate each request with a token are unaffected on those endpoints, since token verification runs independently.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to the patched versions of \u003ccode\u003e@clerk/nextjs\u003c/code\u003e, \u003ccode\u003e@clerk/nuxt\u003c/code\u003e, \u003ccode\u003e@clerk/astro\u003c/code\u003e, and \u003ccode\u003e@clerk/shared\u003c/code\u003e as outlined in the advisory to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview all route handlers, server components, and server actions protected by \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e to ensure they include server-side auth checks using \u003ccode\u003eauth()\u003c/code\u003e as a defense-in-depth measure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e function in your web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor your application logs for unusual or unauthorized access attempts to protected routes, especially those matching the route patterns configured in \u003ccode\u003ecreateRouteMatcher\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRun \u003ccode\u003enpm why @clerk/shared\u003c/code\u003e (or your package manager\u0026rsquo;s equivalent) to check the installed version of \u003ccode\u003e@clerk/shared\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-clerk-middleware-bypass/","summary":"A vulnerability in `@clerk/nextjs`, `@clerk/nuxt`, and `@clerk/astro` allows crafted requests to bypass middleware gating via `createRouteMatcher`, potentially exposing protected routes if downstream authentication checks are absent.","title":"Clerk JavaScript SDK Middleware Route Protection Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-clerk-middleware-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Middleware-Vulnerability","version":"https://jsonfeed.org/version/1.1"}