{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:clerk:clerk\\/backend:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/chrome-extension:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/expo:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/fastify:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/react-router:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/clerk-expo:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/clerk-react:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/express:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/nuxt:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/vue:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/hono:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/tanstack-react-start:*:*:*:*:*:node.js:*:*",
              "cpe:2.3:a:clerk:clerk\\/shared:*:*:*:*:*:node.js:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "3.0.0"
              },
              {
                "fixed": "3.2.14"
              },
              {
                "fixed": "3.1.15"
              },
              {
                "fixed": "3.2.2"
              },
              {
                "fixed": "3.1.16"
              },
              {
                "fixed": "3.1.4"
              },
              {
                "introduced": "1.3.5"
              },
              {
                "fixed": "2.9.15"
              },
              {
                "introduced": "2.2.11"
              },
              {
                "fixed": "2.19.36"
              },
              {
                "introduced": "5.9.0"
              },
              {
                "fixed": "5.61.6"
              },
              {
                "introduced": "2.0.0"
              },
              {
                "fixed": "2.1.6"
              },
              {
                "fixed": "2.2.5"
              },
              {
                "fixed": "2.0.16"
              },
              {
                "introduced": "0.0.2"
              },
              {
                "fixed": "0.1.16"
              },
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.13.29"
              },
              {
                "fixed": "1.1.4"
              },
              {
                "introduced": "0.0.1"
              },
              {
                "fixed": "2.4.13"
              },
              {
                "introduced": "4.0.0"
              },
              {
                "fixed": "4.8.3"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "aac87a5de8171dd27965dfecc5fabdf12b63216f"
            },
            {
              "fixed": "c0b1f312dc6e45ccd8d1f87c1bb883c802a5fa15"
            },
            {
              "fixed": "18aba588b53bf08a339ca890933c1e0b6a88c870"
            },
            {
              "fixed": "7fac11041b26e783d92cbf25af87364e07a26d6c"
            },
            {
              "fixed": "0ca810db89b627e6690cb3a9cc48bb021e750b6f"
            },
            {
              "fixed": "65b7bf681cc892d77a4b42e45f01187141a630db"
            },
            {
              "introduced": "28d3e2a78fa9c6957b28e7c127442689549e3dc8"
            },
            {
              "fixed": "d577c8629f7bfb4e64c33ef8c7c5cc5b23794df3"
            },
            {
              "introduced": "5b4c220fe5bbdcf7fbf3b29945d83be77d215bef"
            },
            {
              "fixed": "4914e490d029cd7acbfc0f2c1fdf254fe456507e"
            },
            {
              "introduced": "f532a8f62ff915240741843ad911c697e38c80b7"
            },
            {
              "fixed": "4914e490d029cd7acbfc0f2c1fdf254fe456507e"
            },
            {
              "introduced": "6448c21fdf0cbfed316b29c51e833386b1d334e6"
            },
            {
              "fixed": "74ddb3486e0f8b1e86a6c4b1cb4a1fe85787e177"
            },
            {
              "fixed": "1d2b972340cbe3ec776b0db2ae2c32a8abc2dedc"
            },
            {
              "fixed": "cc8fed56312fa186bf52914a021d5cd9208292d0"
            },
            {
              "introduced": "bbddc9471ae2695eeb68ad818896c19312e7c625"
            },
            {
              "fixed": "f3175f27cb9233dbba007623d6ef3bdf9971a046"
            },
            {
              "introduced": "1f8907b8019a7c21ce93baaae639f43913ec23ee"
            },
            {
              "fixed": "833439e22f56ab1e44bb08c6d4c6d1b2c1e3913c"
            },
            {
              "fixed": "d87e99d8e363df773447f7e6563bee1c04ce63d3"
            },
            {
              "introduced": "54252f806fb56136a54f1180cd7b806bc2fb85a3"
            },
            {
              "fixed": "c3facf1d1877261c01be5a446458f37e75c6d354"
            },
            {
              "introduced": "712c8ea792693a335d9bf39c28e550216cb71bcb"
            },
            {
              "fixed": "1367d39d97629753e8d0e5780b81906ad61e2d29"
            }
          ],
          "repo": "https://github.com/clerk/javascript",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-w24r-5266-9c3c"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-754",
      "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42349.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "5.22.0"
          },
          {
            "fixed": "5.125.10"
          },
          {
            "introduced": "6.0.0"
          },
          {
            "fixed": "6.7.5"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in  @clerk/clerk-js 5.125.10 and 6.7.5.",
  "id": "CVE-2026-42349",
  "modified": "2026-07-08T05:39:31.703432426Z",
  "published": "2026-05-11T16:08:27.869Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42349.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42349"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Clerk: Authorization bypass when combining organization, billing, or reverification checks"
}