Clerk patches SSRF that leaks Clerk-Secret-Key

TL;DR — A High-severity SSRF in Clerk’s clerkFrontendApiProxy can leak an application’s Clerk-Secret-Key to an attacker-controlled host via a crafted request path.

What happened

Clerk is an authentication/identity platform; the @clerk/* server SDKs are used in backend services to integrate Clerk auth and related API calls.

CVE-2026-34076 (GitHub CNA publication) reports that the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). Per the CVE record, an unauthenticated attacker can craft a request path that causes the proxy to send the application’s Clerk-Secret-Key to an attacker-controlled server.

Severity is CVSS v3.1 7.4 (High). SSRF in proxy/helper code is a high-signal class because it often turns “just routing” logic into a secret-exfiltration primitive when backend credentials are attached to outbound requests.

Who is impacted

• Deployments using affected versions of Clerk’s JavaScript server SDKs where the opt-in clerkFrontendApiProxy behavior is reachable.

What to do now

• Follow vendor remediation guidance and apply the patched releases described in the CVE record.

  • "This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."

• Inventory services that depend on @clerk/backend, @clerk/express, @clerk/fastify, or @clerk/hono, and confirm whether clerkFrontendApiProxy is enabled/reachable in production request paths.
• Treat potential Clerk-Secret-Key exposure as a credential incident: if you suspect abuse (unexpected outbound requests, suspicious proxy paths, or unknown hosts receiving traffic), rotate the affected application secret and review egress logs around the proxy feature.