Clerk Backend Library Exposes Critical SSRF Flaw, Leaks Secret Keys to Attackers

A critical Server-Side Request Forgery (SSRF) vulnerability in Clerk's official backend library can be exploited by unauthenticated attackers to steal the application's secret keys. The flaw, tracked as CVE-2026-34076, resides in the `clerkFrontendApiProxy` function within the `@clerk/backend` npm package. By crafting a specific request path, an attacker can force the proxy to send the sensitive `Clerk-Secret-Key` to an arbitrary external server under their control.

This security advisory, published by Clerk on GitHub, warns that the vulnerability affects versions prior to 3.2.3. The issue is not theoretical; it provides a direct vector for credential theft. The `Clerk-Secret-Key` is a master credential that, if compromised, could allow an attacker to impersonate the application, bypass authentication, and potentially access or manipulate user data across all services using the compromised Clerk instance. The flaw stems from improper validation or sanitization of user-supplied input within the proxy routing logic.

The immediate pressure is on all development teams using `@clerk/backend` to urgently update to version 3.2.3, which contains the security patch. The vulnerability places thousands of web applications and services that rely on Clerk for user authentication and management at direct risk. Failure to patch promptly could lead to widespread credential leakage, subsequent account takeovers, and data breaches, with significant liability for affected organizations. The disclosure triggers a race against time for sysadmins and DevOps teams to audit their dependencies and apply the fix before exploitation attempts begin.