Skip to main content

CVE-2026-34076

| EUVDEUVD-2026-17974 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-27 https://github.com/clerk/javascript GHSA-gjxx-92w9-8v8f
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 29, 2026 - 21:07 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 20:30 euvd
EUVD-2026-17974
Analysis Generated
Mar 27, 2026 - 20:30 vuln.today
CVE Published
Mar 27, 2026 - 19:58 nvd
HIGH 7.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @clerk/backend (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionGitHub Advisory

Summary

The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server.

Affected packages

Only applications that have opted into the frontendApiProxy feature are affected. This feature is not enabled by default. Users of @clerk/nextjs are not affected due to how the framework handles repeated / in request paths.

PackageAffected versionsFixed version
@clerk/backend>= 3.0.0, <= 3.2.23.2.3
@clerk/express>= 2.0.0, <= 2.0.62.0.7
@clerk/hono>= 0.1.0, <= 0.1.40.1.5
@clerk/fastify>= 3.1.0, <= 3.1.43.1.5

Search your codebase for the frontendApiProxy option. If none of the patterns below appear in your code, you are not affected.

@clerk/express

ts
app.use(clerkMiddleware({ frontendApiProxy: { enabled: true } }));

@clerk/hono

ts
app.use('*', clerkMiddleware({ frontendApiProxy: { enabled: true } }));

@clerk/fastify

ts
fastify.register(clerkPlugin, { frontendApiProxy: { enabled: true } });

@clerk/backend

ts
import { clerkFrontendApiProxy } from '@clerk/backend/proxy';

A quick way to check across your entire project:

sh
grep -r "frontendApiProxy\|clerkFrontendApiProxy" .

If there are no matches, you are not using this feature.

Recommended actions

Clerk's internal logs show no evidence of users utilizing the built-in proxy with the impacted versions. Despite that, if you are on an impacted version and use the built-in proxy we recommend upgrading and rotating your Clerk Secret Key immediately.

  1. Upgrade to the patched version of @clerk/backend (and @clerk/express, @clerk/hono, etc.)
  2. Rotate your Clerk Secret Key after upgrading - if an attacker exploited this vulnerability, they may have captured your key. Rotate it in the Clerk Dashboard under API Keys. You should deploy your application with the updated key before revoking the existing key.
  3. Audit access logs for requests to your proxy endpoint (/__clerk/ by default) containing double slashes in the path.

Credit

Discovered during an internal code audit.

AnalysisAI

A SSRF vulnerability (CVSS 7.4). High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-918 (Server-Side Request Forgery). CVSS 7.4 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2026-34076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy