Clerk has an authorization bypass when combining organization, billing, or reverification checks — CVE-2026-42349

GitHub · GitHub · CVE-2026-42349

ID
CVE-2026-42349

Datum
2026-04-30

Aktualisiert
2026-05-13

Activity
2026-05-13

Quelle
GitHub

Vendor
GitHub

Risiko
high

CVSS
7.6

EPSS
0.00054

Zusammenfassung

### Summary `has()`, `auth.protect()`, and related authorization predicates in `@clerk/shared`, `@clerk/nextjs`, `@clerk/backend`, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. Sessions are not compromised and no existing user can be…

Produkt

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Mehr dazu

GitHub GitHub 2026-W20

Clerk has an authorization bypass when combining organization, billing, or reverification checks — CVE-2026-42349

Zusammenfassung

Produkt

Was tun?

Offizielles Advisory

Mehr dazu

Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.6.11

Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.11

Authlib: Cross-site request forging when using cache

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

Important: firefox security update

Important: gimp:2.8 security update