Introduction
A critical route protection bypass in Clerk's official JavaScript SDKs allows crafted requests to slip past middleware gating and reach protected downstream handlers without authentication. For the many applications built on Next.js, Nuxt, and Astro that depend on Clerk's createRouteMatcher as their primary access control mechanism, this flaw quietly opens the door to unauthorized access to sensitive API routes and server components.
Clerk provides full stack authentication and user management solutions designed for modern web frameworks like React, Next.js, and Remix. The platform offers drop in UI components for sign in flows, multi tenant B2B authentication, and subscription billing, and is used by numerous fast growing companies across the web development ecosystem.
Technical Information
CVE-2026-41248 carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting the fact that exploitation is network based, requires low complexity, and demands no privileges or user interaction. A successful exploit results in high impact to both confidentiality and integrity.
The root cause maps to two CWE classifications: CWE-436 (Interpretation Conflict) and CWE-863 (Incorrect Authorization). The createRouteMatcher function, which is the core of Clerk's middleware based route protection, accepts an array of route patterns and determines whether an incoming request matches a protected path. Certain crafted requests can evade this matching logic. When the matcher fails to recognize a request as targeting a protected route, the middleware never invokes auth.protect(), and the request proceeds to downstream handlers unauthenticated.
Vulnerable Pattern
The vulnerability manifests when developers use an allow list approach for protected routes:
const isProtectedRoute = createRouteMatcher([ '/admin(.*)' ]); export default clerkMiddleware(async (auth, req) => { if (isProtectedRoute(req)) { await auth.protect(); } });
In this pattern, if the crafted request evades the route matcher, isProtectedRoute(req) returns false, auth.protect() is never called, and the request reaches the downstream handler.
Safe Pattern
A default deny pattern correctly blocks the bypass at the middleware layer:
const isPublicRoute = createRouteMatcher([ '/docs(.*)' ]); export default clerkMiddleware(async (auth, req) => { if (!isPublicRoute(req)) { await auth.protect(); } });
By defining public routes and protecting everything else, the application calls auth.protect() on any request that does not explicitly match a public path, including the crafted bypass requests.
Important Nuance
The bypass does not compromise user sessions or allow impersonation of existing users. The auth() function continues to accurately reflect the real authentication state of the caller. The issue is strictly that the middleware gating decision is skipped, meaning the request reaches handlers that the developer intended to be gated. If those handlers perform their own auth() checks, they will correctly identify the request as unauthenticated.
Affected Systems and Versions
The vulnerability impacts multiple Clerk packages across several major version lines:
@clerk/nextjs Affected: v5.0.0 through 5.7.5, v6.0.0 through 6.39.1, v7.0.0 through 7.2.0 Fixed: 5.7.6, 6.39.2, 7.2.1
@clerk/nuxt Affected: v1.1.0 through 1.13.27, v2.0.0 through 2.2.1 Fixed: 1.13.28, 2.2.2
@clerk/astro Affected: v1.0.0 through 1.5.6, v2.0.0 through 2.17.9, v3.0.0 through 3.0.14 Fixed: 1.5.7, 2.17.10, 3.0.15
@clerk/shared Affected: v2.20.17 through 2.22.0, v3.0.0 through 3.47.3, v4.0.0 through 4.8.0 Fixed: 2.22.1, 3.47.4, 4.8.1
The @clerk/shared package is typically not imported directly, but applications are vulnerable if they rely on an affected version transitively. Running npm why @clerk/shared (or the equivalent for your package manager) confirms whether the installed version is secure.
Vendor Security History
Clerk has a track record of transparent security communications. For this vulnerability, the company published both a detailed GitHub advisory and a blog post, and provided clear upgrade paths across all maintained major versions with no breaking API changes.
This is not the first authentication bypass in Clerk's ecosystem. CVE-2025-63700 involved a bypass of the OAuth authentication flow in the clerk-js package, which was also addressed through a public advisory. The company has also invested in proactive security features such as Client Trust, a mechanism that defends against credential stuffing by treating new devices as untrusted.
References
- NVD: CVE-2026-41248
- GitHub Advisory: Middleware based route protection bypass (GHSA-vqx2-fgx2-5wq9)
- Clerk Blog: Middleware based route protection bypass
- Clerk Documentation: clerkMiddleware() for Next.js
- Clerk Documentation: clerkMiddleware() for Astro
- GitHub Advisory: Clerk-js OAuth authentication flow bypass (GHSA-3mm3-wfpv-q85g)
- CISA Known Exploited Vulnerabilities Catalog
- Clerk: Authentication and User Management
