CVE-2026-34076 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the official Clerk JavaScript authentication libraries. Specifically, the vulnerability resides in the clerkFrontendApiProxy function of the @clerk/backend package and its integrations with @clerk/hono, @clerk/express, and @clerk/fastify. Versions affected include @clerk/hono from 0.1.0 up to but not including 0.1.5, @clerk/express from 2.0.0 up to but not including 2.0.7, @clerk/backend from 3.0.0 up to but not including 3.2.3, and @clerk/fastify from 3.1.0 up to but not including 3.1.5. The vulnerability allows an unauthenticated attacker to craft a specially designed request path that abuses the proxy function to send the application's Clerk-Secret-Key to an attacker-controlled server. This secret key is critical for authentication and authorization processes within applications using Clerk, and its exposure can lead to unauthorized access and manipulation of user sessions or data. The CVSS v3.1 base score is 7.4, reflecting high severity due to the network attack vector, no privileges or user interaction required, and high impact on confidentiality and integrity, though availability is not affected. The attack complexity is high, indicating some difficulty in exploitation, but the lack of authentication requirements increases risk. No known exploits have been reported in the wild as of the publication date, but the vulnerability has been publicly disclosed and patched in the specified versions. Organizations using affected Clerk JavaScript libraries should upgrade immediately to the patched versions to prevent potential compromise.

The primary impact of this vulnerability is the unauthorized disclosure of the Clerk-Secret-Key, a sensitive credential that underpins authentication and session management in applications using Clerk JavaScript libraries. If an attacker obtains this secret key, they can potentially impersonate legitimate users, escalate privileges, or manipulate authentication flows, leading to data breaches, unauthorized access to user accounts, and compromise of application integrity. The confidentiality of user data and authentication tokens is at significant risk. Although availability is not directly impacted, the integrity and confidentiality breaches can cause severe reputational damage, regulatory penalties, and loss of user trust. Organizations relying on Clerk for authentication, especially those with high-value or sensitive data, face increased risk of targeted attacks. The vulnerability's network-based exploitation and lack of required authentication mean attackers can attempt exploitation remotely, increasing the threat surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as the vulnerability is publicly documented.

1. Immediate upgrade of all affected Clerk JavaScript packages to the patched versions: @clerk/hono to 0.1.5 or later, @clerk/express to 2.0.7 or later, @clerk/backend to 3.2.3 or later, and @clerk/fastify to 3.1.5 or later. 2. Review and rotate Clerk-Secret-Keys used in affected applications to invalidate any potentially compromised keys. 3. Implement strict network egress controls and monitoring to detect and block unauthorized outbound requests that could indicate SSRF exploitation attempts. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting SSRF patterns and anomalous proxy requests. 5. Conduct thorough code audits and penetration testing focusing on SSRF and proxy-related functionalities in authentication flows. 6. Educate development teams on secure coding practices to avoid proxy misuse and validate all incoming request paths rigorously. 7. Monitor security advisories from Clerk and related communities for updates or emerging exploit reports. 8. Use environment segmentation and least privilege principles to limit the impact scope if a secret key is compromised.