CVE-2026-41248
Clerk · Clerk JavaScript (Next.js, Nuxt, Astro)
A bypass vulnerability in Clerk's `createRouteMatcher` allows unauthenticated requests to skip middleware gating and reach downstream handlers.
Executive summary
A critical authentication bypass vulnerability in Clerk JavaScript libraries allows attackers to circumvent middleware security controls and access protected routes.
Vulnerability
The createRouteMatcher function in various Clerk integration packages fails to properly validate certain crafted requests. This allows an attacker to bypass authentication middleware, effectively reaching application handlers that were intended to be protected by Clerk authentication.
Business impact
This vulnerability undermines the fundamental authentication logic of applications using Clerk, potentially exposing private user data and administrative functions. With a CVSS score of 9.1, the risk of unauthorized access is severe, as attackers can bypass security checks designed to guard sensitive business logic and backend services.
Remediation
Immediate Action: Update all affected Clerk packages (@clerk/nextjs, @clerk/nuxt, @clerk/astro, and @clerk/shared) to the versions specified in the vendor security advisory.
Proactive Monitoring: Monitor application logs for unexpected access patterns where users are reaching routes that should be restricted by middleware.
Compensating Controls: While no direct WAF rule can fully replace the middleware logic, ensuring that backend handlers also perform secondary authorization checks provides a vital layer of defense-in-depth.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Developers must treat this as a high-priority update. Because this vulnerability affects the core security gating mechanism of the application, failure to patch will leave protected routes and downstream handlers completely exposed to unauthenticated access.