npm/@clerk/nextjs — 4 CVEs

CRITICAL9.1CVE-2026-41248Official Clerk JavaScript SDKs: Middleware-based route protection bypass

>= 5.0.0, < 5.7.6

CRITICAL9.0CVE-2024-22206@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

>= 4.7.0, < 4.29.3

HIGH8.1CVE-2026-42349Clerk has an authorization bypass when combining organization, billing, or reverification checks

>= 6.0.0, < 6.39.3

HIGH7.5@clerk/backend Performs Insufficient Verification of Data Authenticity

>= 6.2.10, < 6.23.3

pkg:npm/@clerk/nextjs