{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34076", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.868Z", "datePublished": "2026-04-01T16:59:21.828Z", "dateUpdated": "2026-04-01T18:00:23.118Z"}, "containers": {"cna": {"title": "Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"}], "affected": [{"vendor": "clerk", "product": "javascript", "versions": [{"version": "@clerk/hono >= 0.1.0, < 0.1.5", "status": "affected"}, {"version": "@clerk/express >= 2.0.0, < 2.0.7", "status": "affected"}, {"version": "@clerk/backend >= 3.0.0, < 3.2.3", "status": "affected"}, {"version": "@clerk/fastify >= 3.1.0, < 3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T16:59:21.828Z"}, "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."}], "source": {"advisory": "GHSA-gjxx-92w9-8v8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:00:15.522839Z", "id": "CVE-2026-34076", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:00:23.118Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34076", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.868Z", "datePublished": "2026-04-01T16:59:21.828Z", "dateUpdated": "2026-04-01T18:00:23.118Z"}, "containers": {"cna": {"title": "Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"}], "affected": [{"vendor": "clerk", "product": "javascript", "versions": [{"version": "@clerk/hono >= 0.1.0, < 0.1.5", "status": "affected"}, {"version": "@clerk/express >= 2.0.0, < 2.0.7", "status": "affected"}, {"version": "@clerk/backend >= 3.0.0, < 3.2.3", "status": "affected"}, {"version": "@clerk/fastify >= 3.1.0, < 3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T16:59:21.828Z"}, "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."}], "source": {"advisory": "GHSA-gjxx-92w9-8v8f", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34076", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T18:00:15.522839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:00:19.126Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."}], "id": "CVE-2026-34076", "lastModified": "2026-04-29T20:58:46.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T18:16:29.527", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "@clerk/hono >= 0.1.0, < 0.1.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "@clerk/express >= 2.0.0, < 2.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "@clerk/backend >= 3.0.0, < 3.2.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "@clerk/fastify >= 3.1.0, < 3.1.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "javascript", "source": "cna", "vendor": "clerk"}, "product": "javascript", "vendor": "clerk"}], "analysis": {"en": {"generated_at": "2026-04-02T03:46:44.375520+00:00", "value": {"mitigation_remediation": ["Upgrade all Clerk packages to the patched versions: @clerk/hono v0.1.5 or newer, @clerk/express v2.0.7 or newer, @clerk/backend v3.2.3 or newer, @clerk/fastify v3.1.5 or newer."], "summary": {"action": "Immediate Patch", "impact": "Secret key disclosure via SSRF"}, "threat_synthesis": {"affected_systems": "The issue affects Clerk\u2019s official JavaScript SDK, specifically @clerk/hono versions 0.1.0 to 0.1.4, @clerk/express versions 2.0.0 to 2.0.6, @clerk/backend versions 3.0.0 to 3.2.2, and @clerk/fastify versions 3.1.0 to 3.1.4. Updated releases are available that contain the fix.", "description_and_impact": "Clerk JavaScript\u2019s clerkFrontendApiProxy feature is susceptible to Server-Side Request Forgery, allowing an unauthenticated attacker to craft a request path that causes the proxy to forward the application\u2019s Clerk\u2011Secret\u2011Key to an external host. The vulnerability, identified as CWE\u2011918, results in a confidentiality breach that could enable the attacker to perform further malicious actions or gain unauthorized access to protected resources.", "risk_and_exploitability": "With a CVSS score of 7.4 the vulnerability is considered high severity. While EPSS data is unavailable and it is not listed in the CISA KEV catalog, the vulnerability can be exploited without authentication, provided the attacker can send a crafted request to the application. The attack path involves supplying a malicious path to the clerkFrontendApiProxy endpoint, which will then forward the secret key to the attacker-controlled server, potentially exposing credentials used by the application."}}}}, "created": "2026-04-02T07:48:15.065223+00:00", "updated": "2026-04-02T20:17:11.528729+00:00", "vendors": ["clerk", "clerk$PRODUCT$javascript"]}