Clerk middleware bypass grants unauth access (CVE-2026-41248)

Patch now - CVE-2026-41248 is a critical authentication bypass in Clerk JavaScript packages (@clerk/nextjs, @clerk/nuxt, @clerk/astro) that lets unauthenticated attackers craft requests to skip middleware route protection and reach downstream handlers. Fixed versions are available across all affected packages and should be applied immediately.

Overview

CVE-2026-41248 affects the createRouteMatcher function in @clerk/nextjs, @clerk/nuxt, and @clerk/astro from Clerk, an authentication and user management platform. The vulnerability allows attackers to craft requests that bypass middleware gating, reaching application handlers that should be protected by authentication checks. The flaw has a CVSS score of 9.1 (Critical) with a network attack vector that requires no privileges or user interaction to exploit.

Attackers can exploit this bypass to access restricted routes, potentially exposing sensitive data, performing unauthorized actions, or escalating privileges within the application. Since Clerk middleware is often used to protect entire route stacks, a single bypass could compromise multiple protected endpoints behind the middleware check.

Affected Versions

Package	Affected versions	Fixed versions
@clerk/nextjs	< 5.7.6, >= 6.0.0 < 6.39.2, >= 7.0.0 < 7.2.1	5.7.6, 6.39.2, 7.2.1
@clerk/nuxt	< 1.13.28, >= 2.0.0 < 2.2.2	1.13.28, 2.2.2
@clerk/astro	< 1.5.7, >= 2.0.0 < 2.17.10, >= 3.0.0 < 3.0.15	1.5.7, 2.17.10, 3.0.15
@clerk/shared	< 2.22.1, >= 3.0.0 < 3.47.4, >= 4.0.0 < 4.8.1	2.22.1, 3.47.4, 4.8.1

Remediation

Update all affected Clerk packages to the latest fixed versions for their respective major track. Use your package manager (npm update, yarn upgrade, pnpm update) to pull the patched versions. For projects using a lockfile, regenerate it after updating.

If immediate patching is not possible, organizations should audit all route matcher configurations for middleware bypass potential and consider adding additional server-side authorization checks on downstream handlers as a defense-in-depth measure.

Administrators should review application logs for anomalous requests that reached protected routes without authentication between the vulnerability’s existence and patch deployment. The vulnerability can be exploited without user interaction, so unpatched systems should be considered compromised if exposure to untrusted networks exists.

Security Insight

This vulnerability highlights a recurring class of authentication bypass bugs in middleware-based security models where request parsing and route matching logic disagree with downstream handlers. Similar bypasses have affected frameworks like Express.js and Next.js middleware in the past. The critical severity stems not from complexity but from the fundamental trust placed in middleware as the sole security gate. Organizations using Clerk should review whether they follow the principle of defense in depth by validating authentication at the handler level as well.

For the latest cybersecurity news and data breach reports, visit security news and breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs