CVE-2026-42349— Official Clerk JavaScript SDKs 代码问题漏洞

AI 预测 7.5 利用难度: 较易 EPSS 0.05% · P17 更新于 2026-05-15

影响版本矩阵 29

厂商	产品	版本范围	状态
@clerk	astro	`>= 2.0.0, <= 2.17.10`	affected
		`>= 3.0.0, <= 3.0.17`	affected
@clerk	backend	`>= 2.0.0, <= 2.33.2`	affected
		`>= 3.0.0, <= 3.2.13`	affected
@clerk	chrome-extension	`>= 1.3.5, <= 2.9.14`	affected
		`>= 3.0.0, <= 3.1.14`	affected
@clerk	clerk-expo	`>= 2.2.11, <= 2.19.35`	affected
@clerk	clerk-react	`>= 5.9.0, <= 5.61.5`	affected
@clerk	expo	`>= 3.0.0, <= 3.2.1`	affected
@clerk	express	`>= 0.1.0, <= 1.7.78`	affected
		`>= 2.0.0, <= 2.1.5`	affected
@clerk	fastify	`>= 1.0.42, <= 2.6.30`	affected
		`>= 3.0.0, <= 3.1.15`	affected
@clerk	hono	`>= 0.0.2, <= 0.1.15`	affected
@clerk	nextjs	`>= 6.0.0, <= 6.39.2`	affected
		`>= 7.0.0, <= 7.2.3`	affected
@clerk	nuxt	`>= 1.0.0, <= 1.13.28`	affected
		`>= 2.0.0, <= 2.2.4`	affected
@clerk	react	`>= 6.0.0, <= 6.4.2`	affected
@clerk	react-router	`>= 0.0.1, <= 2.4.12`	affected
		`>= 3.0.0, <= 3.1.3`	affected
@clerk	shared	`>= 3.0.0, <= 3.47.4`	affected
		`>= 4.0.0, <= 4.8.2`	affected
@clerk	tanstack-react-start	`>= 0.0.1, <= 0.29.10`	affected
		`>= 1.0.0, <= 1.1.3`	affected
@clerk	vue	`>= 1.0.0, <= 1.17.20`	affected
		`>= 2.0.0, <= 2.0.15`	affected
clerk	javascript	`>= 5.22.0, < 5.125.10`	affected
		`>= 6.0.0, < 6.7.5`	affected

获取后续新漏洞提醒登录后订阅

一、漏洞 CVE-2026-42349 基础信息

漏洞信息

对漏洞内容有疑问？看看神龙的深度分析是否有帮助！

查看神龙十问 ↗

尽管我们使用了先进的大模型技术，但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性，但请您根据实际情况进行核实和判断。

Vulnerability Title

Clerk: Authorization bypass when combining organization, billing, or reverification checks

来源: 美国国家漏洞数据库 NVD

Vulnerability Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

来源: 美国国家漏洞数据库 NVD

CVSS Information

N/A

来源: 美国国家漏洞数据库 NVD

Vulnerability Type

对因果或异常条件的不恰当检查

来源: 美国国家漏洞数据库 NVD

Vulnerability Title

Official Clerk JavaScript SDKs 代码问题漏洞

来源: 中国国家信息安全漏洞库 CNNVD

Vulnerability Description

Official Clerk JavaScript SDKs是Clerk开源的一个用于 Clerk 身份验证的官方 Javascript 存储库。 Official Clerk JavaScript SDKs存在代码问题漏洞，该漏洞源于has()、auth.protect()及相关授权谓词在特定组合授权检查中可能返回true，可能导致不满足全部条件的用户绕过授权检查执行受限操作。

来源: 中国国家信息安全漏洞库 CNNVD

CVSS Information

N/A

来源: 中国国家信息安全漏洞库 CNNVD

Vulnerability Type

N/A

来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商	产品	影响版本	CPE
clerk	javascript	>= 5.22.0, < 5.125.10	-
@clerk	shared	>= 3.0.0, <= 3.47.4	-
@clerk	backend	>= 2.0.0, <= 2.33.2	-
@clerk	nextjs	>= 6.0.0, <= 6.39.2	-
@clerk	clerk-react	>= 5.9.0, <= 5.61.5	-
@clerk	react	>= 6.0.0, <= 6.4.2	-
@clerk	vue	>= 1.0.0, <= 1.17.20	-
@clerk	astro	>= 2.0.0, <= 2.17.10	-
@clerk	nuxt	>= 1.0.0, <= 1.13.28	-
@clerk	clerk-expo	>= 2.2.11, <= 2.19.35	-
@clerk	expo	>= 3.0.0, <= 3.2.1	-
@clerk	react-router	>= 0.0.1, <= 2.4.12	-
@clerk	tanstack-react-start	>= 0.0.1, <= 0.29.10	-
@clerk	chrome-extension	>= 1.3.5, <= 2.9.14	-
@clerk	fastify	>= 1.0.42, <= 2.6.30	-
@clerk	express	>= 0.1.0, <= 1.7.78	-
@clerk	hono	>= 0.0.2, <= 0.1.15	-

二、漏洞 CVE-2026-42349 的公开POC

#	POC 描述	源链接	神龙链接

AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-42349 的情报信息

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: javascript

Same vendor: clerk

Same weakness: CWE-754

V. Comments for CVE-2026-42349

暂无评论

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CVE-2026-42349— Official Clerk JavaScript SDKs 代码问题漏洞

影响版本矩阵 29

一、漏洞 CVE-2026-42349 基础信息

漏洞信息

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

受影响产品

二、漏洞 CVE-2026-42349 的公开POC

三、漏洞 CVE-2026-42349 的情报信息

IV. Related Vulnerabilities

V. Comments for CVE-2026-42349

发表评论

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CVE-2026-42349— Official Clerk JavaScript SDKs 代码问题漏洞

影响版本矩阵 29

一、 漏洞 CVE-2026-42349 基础信息

漏洞信息

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

受影响产品

二、漏洞 CVE-2026-42349 的公开POC

三、漏洞 CVE-2026-42349 的情报信息

IV. Related Vulnerabilities

V. Comments for CVE-2026-42349

发表评论

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

一、漏洞 CVE-2026-42349 基础信息