Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-41248

The `createRouteMatcher` function in `@clerk/nextjs`, `@clerk/nuxt`, and `@clerk/astro` can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. Sessions are not compromised, and no existing user can be impersonated; the bypass only affects the middleware-level gating decision. Apps relying solely on middleware gating via `createRouteMatcher` are affected, as a crafted request can skip middleware checks and reach downstream handlers (API routes, server components, etc.). This vulnerability arises due to an incorrect authorization check in the route matching logic, allowing unauthorized access to protected routes. The impact is significant as it can lead to unauthorized access to sensitive data or functionality if downstream handlers do not implement their own authentication checks. Mitigation involves upgrading to the patched versions of the affected packages or adding server-side auth checks inside route handlers, server compo...
Back to all
CVE

CVE-2026-41248

The `createRouteMatcher` function in `@clerk/nextjs`, `@clerk/nuxt`, and `@clerk/astro` can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. Sessions are not compromised, and no existing user can be impersonated; the bypass only affects the middleware-level gating decision. Apps relying solely on middleware gating via `createRouteMatcher` are affected, as a crafted request can skip middleware checks and reach downstream handlers (API routes, server components, etc.). This vulnerability arises due to an incorrect authorization check in the route matching logic, allowing unauthorized access to protected routes. The impact is significant as it can lead to unauthorized access to sensitive data or functionality if downstream handlers do not implement their own authentication checks. Mitigation involves upgrading to the patched versions of the affected packages or adding server-side auth checks inside route handlers, server compo...

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
-
C
H
U
9.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
7.0.0-canary-core3.v20251124105058,5.8.0-canary.v1be6dac,5.0.0-beta-v5.21,4.0.0-canary-core3.v20251124105058,2.23.0-canary.v20250218210704,2.20.17-canary.v20250130161752,3.30.0-canary.v20251030075126,3.0.0-canary-core3.v20251124105058,2.0.0-canary.v20241209161231,0.0.1-canary.v7ae5681,2.0.0-canary-core3.v20251124105058,0.0.1-canary.v0c5429ea2d5a43ee22c901ccc1ace4665b893536
Fix Available
7.2.1-canary.v20260415142102,6.39.2,5.7.6,4.8.1-canary.v20260415142102,3.47.4,2.22.1,3.0.15-canary.v20260415142102,2.17.10,1.5.7,2.2.2-canary.v20260415142102,1.13.28

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading