JavaScript Vulnerability in Clerk Authentication Affects Multiple Clerk Products
CVE-2026-41248

9.1CRITICAL

Key Information:

Vendor: Clerk
Status: Astro; Nextjs; Nuxt; Shared
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41248?

The Clerk JavaScript library contains a vulnerability where crafted requests can bypass the middleware gating implemented in the @clerk/nextjs, @clerk/nuxt, and @clerk/astro products. This flaw allows unauthorized access to downstream handlers, potentially compromising the security integrity of applications using these libraries. Users are advised to upgrade to the recommended versions to mitigate risks associated with this issue.

Affected Version(s)

astro >= 0.0.1, < 1.5.7 < 0.0.1, 1.5.7

astro >= 2.0.0-snapshot.v20241206174604, <= 2.17.9 <= 2.0.0-snapshot.v20241206174604, 2.17.9

astro >= 3.0.0, < 3.0.15 < 3.0.0, 3.0.15

References

https://github.com/clerk/javascript/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41248 Data

JSON