{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41248", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.136Z", "datePublished": "2026-04-24T21:04:35.810Z", "dateUpdated": "2026-04-27T13:46:28.646Z"}, "containers": {"cna": {"title": "Official Clerk JavaScript SDKs: Middleware-based route protection bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"}], "affected": [{"vendor": "clerk", "product": "astro", "versions": [{"version": ">= 0.0.1, < 1.5.7", "status": "affected"}, {"version": ">= 2.0.0-snapshot.v20241206174604, <= 2.17.9", "status": "affected"}, {"version": ">= 3.0.0, < 3.0.15", "status": "affected"}]}, {"vendor": "clerk", "product": "nextjs", "versions": [{"version": ">= 5.0.0, < 5.7.6", "status": "affected"}, {"version": ">= 6.0.0-snapshot.vb87a27f, < 6.39.2", "status": "affected"}, {"version": ">= 7.0.0, < 7.2.1", "status": "affected"}]}, {"vendor": "clerk", "product": "nuxt", "versions": [{"version": ">= 1.1.0, < 1.13.28", "status": "affected"}, {"version": ">= 2.0.0, < 2.2.2", "status": "affected"}]}, {"vendor": "clerk", "product": "shared", "versions": [{"version": ">= 2.20.17, < 2.22.1", "status": "affected"}, {"version": ">= 3.0.0-canary.v20250225091530, < 3.47.4", "status": "affected"}, {"version": ">= 4.0.0, < 4.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T21:04:35.810Z"}, "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1"}], "source": {"advisory": "GHSA-vqx2-fgx2-5wq9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:46:14.373183Z", "id": "CVE-2026-41248", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:46:28.646Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T13:46:14.373183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:46:23.286Z"}}], "cna": {"title": "Official Clerk JavaScript SDKs: Middleware-based route protection bypass", "source": {"advisory": "GHSA-vqx2-fgx2-5wq9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "clerk", "product": "astro", "versions": [{"status": "affected", "version": ">= 0.0.1, < 1.5.7"}, {"status": "affected", "version": ">= 2.0.0-snapshot.v20241206174604, <= 2.17.9"}, {"status": "affected", "version": ">= 3.0.0, < 3.0.15"}]}, {"vendor": "clerk", "product": "nextjs", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.7.6"}, {"status": "affected", "version": ">= 6.0.0-snapshot.vb87a27f, < 6.39.2"}, {"status": "affected", "version": ">= 7.0.0, < 7.2.1"}]}, {"vendor": "clerk", "product": "nuxt", "versions": [{"status": "affected", "version": ">= 1.1.0, < 1.13.28"}, {"status": "affected", "version": ">= 2.0.0, < 2.2.2"}]}, {"vendor": "clerk", "product": "shared", "versions": [{"status": "affected", "version": ">= 2.20.17, < 2.22.1"}, {"status": "affected", "version": ">= 3.0.0-canary.v20250225091530, < 3.47.4"}, {"status": "affected", "version": ">= 4.0.0, < 4.8.1"}]}], "references": [{"url": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9", "name": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T21:04:35.810Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41248", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:46:28.646Z", "dateReserved": "2026-04-18T03:47:03.136Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T21:04:35.810Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1"}], "id": "CVE-2026-41248", "lastModified": "2026-04-29T20:56:50.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T21:16:18.497", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.1,1.5.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-snapshot.v20241206174604,2.17.9]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "astro", "source": "cna", "vendor": "clerk"}, "product": "astro", "vendor": "clerk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.7.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-snapshot.vb87a27f,6.39.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nextjs", "source": "cna", "vendor": "clerk"}, "product": "nextjs", "vendor": "clerk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.13.28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nuxt", "source": "cna", "vendor": "clerk"}, "product": "nuxt", "vendor": "clerk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.20.17,2.22.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-canary.v20250225091530,3.47.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.8.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "shared", "source": "cna", "vendor": "clerk"}, "product": "shared", "vendor": "clerk"}], "analysis": {"en": {"generated_at": "2026-04-28T05:43:42.679834+00:00", "value": {"mitigation_remediation": ["Upgrade @clerk/astro to 1.5.7, 2.17.10, or 3.0.15", "Upgrade @clerk/nextjs to 5.7.6, 6.39.2, or 7.2.1", "Upgrade @clerk/nuxt to 1.13.28 or 2.2.2", "Upgrade @clerk/shared to 2.22.1, 3.47.4, or 4.8.1", "Add additional runtime authentication checks in downstream route handlers to act as a safeguard"], "summary": {"action": "Patch", "impact": "Authentication and access control bypass via crafted requests"}, "threat_synthesis": {"affected_systems": "Affected are Clerk packages: @clerk/astro (used in Astro framework), @clerk/nextjs (used in Next.js), @clerk/nuxt (used in Nuxt), and @clerk/shared. The specific vulnerable versions are earlier than 3.0.15 for Astro, 7.2.1 for Next.js, 2.2.2 for Nuxt, and 4.8.1 for shared.", "description_and_impact": "The vulnerability resides in Clerk JavaScript SDKs for Astro, Next.js, Nuxt, and shared libraries. A crafted request can bypass the createRouteMatcher function that is intended to enforce middleware gating, allowing the attacker to access protected downstream routes normally. The weakness, classified as CWE-436 and CWE-863, can result in unauthorized access to confidential data or functionality.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical severity. The EPSS score, although below 1%, reflects a very low exploitation probability at the moment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests to bypass protection; prerequisites appear to be only legitimate access to the application\u2019s routing layer. Given the high CVSS and the nature of the breach, the potential impact ranges from data exposure to full unauthorized control over protected resources if exploited."}}}}, "created": "2026-04-27T19:52:50.685574+00:00", "updated": "2026-04-28T05:45:23.302101+00:00", "vendors": ["clerk", "clerk$PRODUCT$astro", "clerk$PRODUCT$nextjs", "clerk$PRODUCT$nuxt", "clerk$PRODUCT$shared"]}