High-Severity Authorization Bypass Found in Clerk SDK's Express and Expo Authentication Layers

A HIGH-severity authorization bypass vulnerability has been identified in @clerk/express and @clerk/clerk-expo, two core authentication packages from the Clerk SDK ecosystem. Cataloged as GHSA-w24r-5266-9c3c, the flaw enables attackers to circumvent access controls under specific conditions involving organization, billing, and reverification checks—directly affecting the middleware functionality that protects backend and mobile endpoints.

The vulnerability was discovered via automated code health scanning on May 3, 2026. Both packages were flagged during standard npm audit verification, confirming the presence of the flaw across affected versions. The fix is already available: developers can apply the patch without breaking changes by running npm update @clerk/express in backend environments and npm update @clerk/clerk-expo in mobile projects. The patches carry semver compatibility, reducing the risk of unintended side effects during deployment.

Clerk is widely deployed across Node.js, React Native, and mobile application stacks that require authentication and user management. The authorization bypass creates particular risk for applications implementing organization-based permissions, subscription-gated features, or step-up authentication flows. While no active exploitation has been reported, the combination of org, billing, and reverification logic in a single bypass path raises concerns for multi-tenant platforms and SaaS products relying on Clerk for access enforcement. Security teams should audit their dependency trees immediately and prioritize patching if either affected package is in use.