Platform
nodejs
Component
@clerk/backend
Fixed in
0.1.1
2.0.1
3.0.1
3.1.1
3.2.3
CVE-2026-34076 describes a Server-Side Request Forgery (SSRF) vulnerability found in the @clerk/backend Node.js package. This flaw allows an unauthenticated attacker to potentially extract the application's Clerk-Secret-Key by crafting malicious request paths. The vulnerability affects applications that have explicitly enabled the frontendApiProxy feature, which is not enabled by default; users of @clerk/nextjs are not affected. A fix is available in version 3.2.3.
The primary impact of CVE-2026-34076 is the potential exposure of the Clerk-Secret-Key. This key is crucial for authentication and authorization within Clerk applications. If an attacker obtains this key, they could impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The attack vector involves crafting a specific request path that tricks the clerkFrontendApiProxy function into sending the secret key to a server controlled by the attacker. This is a significant risk, particularly for applications handling sensitive user data or financial transactions.
This vulnerability was publicly disclosed on March 27, 2026. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit once the application is identified as using the vulnerable version of @clerk/backend with the frontendApiProxy feature enabled.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-34076 is to upgrade to @clerk/backend version 3.2.3 or later. This version includes a fix that prevents the SSRF vulnerability. If upgrading is not immediately feasible, consider disabling the frontendApiProxy feature within your application configuration. This will prevent the vulnerable functionality from being exposed. As a temporary workaround, implement strict input validation on request paths to prevent malicious path traversal attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a crafted request and verifying that the Clerk-Secret-Key is not exposed.
Update the @clerk/hono, @clerk/express, @clerk/backend, and @clerk/fastify packages to versions 0.1.5, 2.0.7, 3.2.3, and 3.1.5 respectively, or higher. This corrects the SSRF vulnerability that could expose the Clerk secret key.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34076 is a Server-Side Request Forgery (SSRF) vulnerability in the @clerk/backend Node.js package, allowing attackers to potentially extract the Clerk-Secret-Key.
You are affected if you use @clerk/backend versions prior to 3.2.3 and have enabled the frontendApiProxy feature. Users of @clerk/nextjs are not affected.
Upgrade to @clerk/backend version 3.2.3 or disable the frontendApiProxy feature in your application configuration.
There is currently no indication of active exploitation of CVE-2026-34076.
Refer to the Clerk security advisory for detailed information and updates: [https://clerk.com/docs/security](https://clerk.com/docs/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.