{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0.0.1"
              },
              {
                "fixed": "1.5.7"
              },
              {
                "introduced": "2.0.0-snapshot.v20241206174604"
              },
              {
                "last_affected": "2.17.9"
              },
              {
                "introduced": "6.0.0-snapshot.vb87a27f"
              },
              {
                "fixed": "6.39.2"
              },
              {
                "introduced": "3.0.0-canary.v20250225091530"
              },
              {
                "fixed": "3.47.4"
              },
              {
                "introduced": "3.0.0"
              },
              {
                "fixed": "3.0.15"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.2.1"
              },
              {
                "introduced": "2.0.0"
              },
              {
                "fixed": "2.2.2"
              },
              {
                "introduced": "1.1.0"
              },
              {
                "fixed": "1.13.28"
              },
              {
                "introduced": "4.0.0"
              },
              {
                "fixed": "4.8.1"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "54252f806fb56136a54f1180cd7b806bc2fb85a3"
            },
            {
              "fixed": "07ab8513a1572edd26d2522eda1eca10b79336b9"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "27e4f4b9e4664f5f6ad3db7481bb6af849ede712"
            },
            {
              "introduced": "aac87a5de8171dd27965dfecc5fabdf12b63216f"
            },
            {
              "fixed": "6399251dd289870193ebf86eb2d67c9dee218df8"
            },
            {
              "introduced": "6448c21fdf0cbfed316b29c51e833386b1d334e6"
            },
            {
              "fixed": "6399251dd289870193ebf86eb2d67c9dee218df8"
            },
            {
              "fixed": "ba158acdd8a7292c7a4647702fa5fc9f57019d43"
            },
            {
              "introduced": "7137f2928282b3b329e616f8d3caf76f3abb6bbc"
            },
            {
              "fixed": "1a510b733896a441236a64465f7484278997b379"
            },
            {
              "introduced": "712c8ea792693a335d9bf39c28e550216cb71bcb"
            },
            {
              "fixed": "6399251dd289870193ebf86eb2d67c9dee218df8"
            }
          ],
          "repo": "https://github.com/clerk/javascript",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-vqx2-fgx2-5wq9"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-436",
      "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41248.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "5.0.0"
          },
          {
            "fixed": "5.7.6"
          },
          {
            "introduced": "2.20.17"
          },
          {
            "fixed": "2.22.1"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1",
  "id": "CVE-2026-41248",
  "modified": "2026-07-08T05:37:38.361056399Z",
  "published": "2026-04-24T21:04:35.810Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41248.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41248"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Official Clerk JavaScript SDKs:  Middleware-based route protection bypass"
}