{"api_version":"1","generated_at":"2026-04-25T13:01:20+00:00","cve":"CVE-2026-41248","urls":{"html":"https://cve.report/CVE-2026-41248","api":"https://cve.report/api/cve/CVE-2026-41248.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-41248","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-41248"},"summary":{"title":"Official Clerk JavaScript SDKs:  Middleware-based route protection bypass","description":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-24 21:16:18","updated_at":"2026-04-24 21:16:18"},"problem_types":["CWE-436","CWE-863","CWE-436 CWE-436: Interpretation Conflict","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9","name":"https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-41248","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41248","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"clerk","product":"astro","version":"affected >= 0.0.1, < 1.5.7","platforms":[]},{"source":"CNA","vendor":"clerk","product":"astro","version":"affected >= 2.0.0-snapshot.v20241206174604, <= 2.17.9","platforms":[]},{"source":"CNA","vendor":"clerk","product":"astro","version":"affected >= 3.0.0, < 3.0.15","platforms":[]},{"source":"CNA","vendor":"clerk","product":"nextjs","version":"affected >= 5.0.0, < 5.7.6","platforms":[]},{"source":"CNA","vendor":"clerk","product":"nextjs","version":"affected >= 6.0.0-snapshot.vb87a27f, < 6.39.2","platforms":[]},{"source":"CNA","vendor":"clerk","product":"nextjs","version":"affected >= 7.0.0, < 7.2.1","platforms":[]},{"source":"CNA","vendor":"clerk","product":"nuxt","version":"affected >= 1.1.0, < 1.13.28","platforms":[]},{"source":"CNA","vendor":"clerk","product":"nuxt","version":"affected >= 2.0.0, < 2.2.2","platforms":[]},{"source":"CNA","vendor":"clerk","product":"shared","version":"affected >= 2.20.17, < 2.22.1","platforms":[]},{"source":"CNA","vendor":"clerk","product":"shared","version":"affected >= 3.0.0-canary.v20250225091530, < 3.47.4","platforms":[]},{"source":"CNA","vendor":"clerk","product":"shared","version":"affected >= 4.0.0, < 4.8.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"astro","vendor":"clerk","versions":[{"status":"affected","version":">= 0.0.1, < 1.5.7"},{"status":"affected","version":">= 2.0.0-snapshot.v20241206174604, <= 2.17.9"},{"status":"affected","version":">= 3.0.0, < 3.0.15"}]},{"product":"nextjs","vendor":"clerk","versions":[{"status":"affected","version":">= 5.0.0, < 5.7.6"},{"status":"affected","version":">= 6.0.0-snapshot.vb87a27f, < 6.39.2"},{"status":"affected","version":">= 7.0.0, < 7.2.1"}]},{"product":"nuxt","vendor":"clerk","versions":[{"status":"affected","version":">= 1.1.0, < 1.13.28"},{"status":"affected","version":">= 2.0.0, < 2.2.2"}]},{"product":"shared","vendor":"clerk","versions":[{"status":"affected","version":">= 2.20.17, < 2.22.1"},{"status":"affected","version":">= 3.0.0-canary.v20250225091530, < 3.47.4"},{"status":"affected","version":">= 4.0.0, < 4.8.1"}]}],"descriptions":[{"lang":"en","value":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-436","description":"CWE-436: Interpretation Conflict","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-24T21:04:35.810Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9","tags":["x_refsource_CONFIRM"],"url":"https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9"}],"source":{"advisory":"GHSA-vqx2-fgx2-5wq9","discovery":"UNKNOWN"},"title":"Official Clerk JavaScript SDKs:  Middleware-based route protection bypass"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-41248","datePublished":"2026-04-24T21:04:35.810Z","dateReserved":"2026-04-18T03:47:03.136Z","dateUpdated":"2026-04-24T21:04:35.810Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 21:16:18","lastModifiedDate":"2026-04-24 21:16:18","problem_types":["CWE-436","CWE-863","CWE-436 CWE-436: Interpretation Conflict","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"41248","Ordinal":"1","Title":"Official Clerk JavaScript SDKs:  Middleware-based route protecti","CVE":"CVE-2026-41248","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"41248","Ordinal":"1","NoteData":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1","Type":"Description","Title":"Official Clerk JavaScript SDKs:  Middleware-based route protecti"}]}}}