chore(deps): update dependency @clerk/nextjs to v6.39.2 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@clerk/nextjs (source)	6.39.0 → 6.39.2

GitHub Vulnerability Alerts

GHSA-vqx2-fgx2-5wq9

Summary

createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers.

Sessions are not compromised and no existing user can be impersonated - the bypass only affects the middleware-level gating decision.

Who is affected

All apps using createRouteMatcher should upgrade to the patched versions. Patches are drop-in with no API changes. The information below describes the scope of the bypass and helps you understand whether you are potentially affected, but is not a reason to delay the upgrade.

Apps relying only on middleware gating via createRouteMatcher are affected, because a crafted request can skip middleware checks and reach downstream handlers (API routes, server components, etc.). This middleware pattern permits the bypass:

// Next.js example, equivalent patterns exist in Nuxt and Astro
const isProtectedRoute = createRouteMatcher(['/admin(.*)']);

export default clerkMiddleware(async (auth, req) => {
  if (isProtectedRoute(req)) {
    await auth.protect();
  }
});

That said, the bypass is limited to the middleware-level route-matching gate. clerkMiddleware still authenticates the request and auth() reflects the real authentication state of the caller. Auth checks performed inside your route handlers, server components, or server actions continue to work correctly and are not affected. Whether your app is affected in practice depends on whether you have those downstream checks.

External APIs that authenticate each request with a token are also unaffected on those endpoints, since token verification runs independently.

Additionally, this common middleware pattern correctly blocks the bypass at the middleware layer:

// Next.js example, equivalent patterns exist in Nuxt and Astro
const isPublicRoute = createRouteMatcher(['/docs(.*)']);

export default clerkMiddleware(async (auth, req) => {
  if (!isPublicRoute(req)) {
    await auth.protect();
  }
});

@clerk/shared is usually not imported directly in application code, but if you import createPathMatcher from an affected @clerk/shared version, you are also affected. Run npm why @​clerk/shared (or your package manager's equivalent) to check your installed version.

Recommended actions

Install the patched version for your framework (pick the one matching your current major):

@clerk/nextjs

• v7.x: fixed in 7.2.1
• v6.x: fixed in 6.39.2
• v5.x: fixed in 5.7.6

@clerk/nuxt

• v2.x: fixed in 2.2.2
• v1.x: fixed in 1.13.28

@clerk/astro

• v3.x: fixed in 3.0.15
• v2.x: fixed in 2.17.10
• v1.x: fixed in 1.5.7

@clerk/shared

• v4.x: fixed in 4.8.1
• v3.x: fixed in 3.47.4
• v2.x: fixed in 2.22.1

Workaround

If you cannot upgrade immediately, adding server-side auth checks (auth()) inside your route handlers, server components, or server actions provides defense-in-depth against this bypass.

Timeline

This issue was reported on 13 APR 2026, patched on 15 APR 2026, and publicly disclosed on 15 APR 2026.

Thanks to Christiaan Swiers for the responsible disclosure of this vulnerability.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

---

Release Notes

clerk/javascript (@​clerk/nextjs)

v6.39.2

Compare Source

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#​8310) by @​nikosdouvlis

• Updated dependencies [2c14f0e]:

  • @​clerk/shared@​3.47.4
  • @​clerk/backend@​2.33.2
  • @​clerk/clerk-react@​5.61.5
  • @​clerk/types@​4.101.22

v6.39.1

Compare Source

Patch Changes

• Updated dependencies [e5f213f]:
  • @​clerk/shared@​3.47.3
  • @​clerk/backend@​2.33.1
  • @​clerk/clerk-react@​5.61.4
  • @​clerk/types@​4.101.21

---

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

• Branch creation
  • ""
• Automerge
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
northware-cockpit	Canceled		Apr 16, 2026 9:59pm
northware-docs	Ready	Preview, Comment	Apr 16, 2026 9:59pm
northware-storybook	Ready	Preview, Comment	Apr 16, 2026 9:59pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 358809e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.