CVE-2026-41248 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 24, 2026
Clerk JavaScript - Authentication Bypass
Published: April 24, 2026Updated: April 24, 2026Remote Exploitable
Overview
Clerk JavaScript @clerk/nextjs, @clerk/nuxt, and @clerk/astro contain an authentication bypass caused by crafted requests bypassing createRouteMatcher middleware gating, letting attackers skip middleware and reach downstream handlers, exploit requires crafted requests.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can bypass middleware authentication, potentially accessing protected resources without authorization.
Mitigation
Update to @clerk/astro 1.5.7, 2.17.10, 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, 7.2.1; @clerk/nuxt 1.13.28, 2.2.2; and @clerk/shared 2.22.1, 3.47.4, 4.8.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41248
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
CWE
- CWE-436
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N