CVE-2026-34076

Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.

INFO

Published Date :

2026-04-01T16:59:21.828Z

Last Modified :

2026-04-01T18:00:23.118Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-34076 vulnerability.

Vendors	Products
Clerk	Javascript

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34076.

URL	Resource
https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact