Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-34076

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Back to all
CVE

CVE-2026-34076

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary

The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server.

Affected packages

Only applications that have opted into the frontendApiProxy feature are affected. This feature is not enabled by default. Users of @clerk/nextjs are not affected due to how the framework handles repeated / in request paths.

| Package | Affected versions | Fixed version |

|---|---|---|

@clerk/backend | >= 3.0.0, <= 3.2.2 | 3.2.3 |

@clerk/express | >= 2.0.0, <= 2.0.6 | 2.0.7 |

@clerk/hono | >= 0.1.0, <= 0.1.4 | 0.1.5 |

@clerk/fastify | >= 3.1.0, <= 3.1.4 | 3.1.5 |

Search your codebase for the frontendApiProxy option. If none of the patterns below appear in your code, you are not affected.

@clerk/express

app.use(clerkMiddleware({ frontendApiProxy: { enabled: true } }));

@clerk/hono

app.use('*', clerkMiddleware({ frontendApiProxy: { enabled: true } }));

@clerk/fastify

fastify.register(clerkPlugin, { frontendApiProxy: { enabled: true } });

@clerk/backend

import { clerkFrontendApiProxy } from '@clerk/backend/proxy';

A quick way to check across your entire project:

grep -r "frontendApiProxy\|clerkFrontendApiProxy" .

If there are no matches, you are not using this feature.

Recommended actions

Clerk's internal logs show no evidence of users utilizing the built-in proxy with the impacted versions. Despite that, if you are on an impacted version and use the built-in proxy we recommend upgrading and rotating your Clerk Secret Key immediately.

  1. Upgrade to the patched version of @clerk/backend (and @clerk/express@clerk/hono, etc.)
  2. Rotate your Clerk Secret Key after upgrading - if an attacker exploited this vulnerability, they may have captured your key. Rotate it in the Clerk Dashboard under API Keys.  You should deploy your application with the updated key before revoking the existing key.
  3. Audit access logs for requests to your proxy endpoint (/__clerk/ by default) containing double slashes in the path.

Credit

Discovered during an internal code audit.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.4
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
7.4
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f, https://nvd.nist.gov/vuln/detail/CVE-2026-34076, https://github.com/clerk/javascript

Severity

7.4

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.4
EPSS Probability
0.00033%
EPSS Percentile
0.09938%
Introduced Version
3.0.0,2.0.0,0.1.0,3.1.0,3.0.0-canary.v20260213162429,3.0.0-snapshot.v20260213191703
Fix Available
3.2.3,2.0.7,0.1.5,3.1.5,3.2.3-canary.v20260325183559,3.2.4-snapshot.v20260331162920

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading