Clerk patches a Next.js bypass, ships SSO UI, and adds metadata updates
May 11–17, 2026
The week's biggest story is a high-severity Next.js App Router middleware bypass fixed in Clerk's Next.js SDK, while across the JavaScript monorepo the team shipped SAML SSO configuration steps, user metadata APIs, new UI customization options, and a WorkOS feature flags runtime client.
Next.js middleware bypass patched; JWT validation hardened
The most critical release this week is Clerk's @clerk/nextjs v7.3.5, which bumps the next dependency to 15.5.18 to fix GHSA-26hh-7cqf-hhc6 — a high-severity (CVSS 7.5) middleware/proxy bypass in App Router applications via segment-prefetch routes. If you use the App Router, upgrade to Next.js 15.5.18 or 16.2.6 immediately; versions 16.0.0 through 16.2.5 remain affected. On the backend side, @clerk/backend@3.4.8 fixed JWT array audience validation and now requires a configured JWT header type, closing two security-adjacent gaps in token verification.
SAML SSO configuration UI advances
Across multiple packages, the experimental <__experimental_ConfigureSSO /> component gained real functionality. Clerk UI v1.10.0 and v1.11.0 added a two-mode segmented control for SAML configuration (metadata URL vs. manual entry), provider selection tiles for Okta Workforce and Custom SAML, and email verification steps. The localizations package followed with the corresponding locale keys. @clerk/shared@4.12.0 and the core JavaScript SDK v6.11.1 landed confirmation and test steps for the same flow. If you've been waiting to roll out self-service SAML configuration to your users, this week's releases make it substantially more usable.
User metadata API and developer experience
JavaScript SDK v6.11.0 introduced user.updateMetadata(), letting you update the current user's metadata by merging with existing values — no more read-modify-write cycles. The same release fixed dev browser recovery by clearing stale partitioned and non-partitioned cookie variants, and added monotonic token replacement to prevent stale tokens in multi-tab scenarios. For React developers, @clerk/react v6.6.4 now allows unstyled button components to accept React elements passed as arrays. Meanwhile, Clerk UI gained a fontFamilyMono appearance variable (exposed as --clerk-font-family-mono) and inline <bold> markup support in localization values, so translators can write 'Agree to <bold>Terms</bold>' in a single key instead of splitting fragments.
Feature flags runtime from WorkOS
Outside the Clerk monorepo, WorkOS shipped a runtime client for its Feature Flags product within the Node SDK. The client keeps an in-memory view of flags in sync, evaluates synchronously with no network call per check, and supports event-driven flag state changes. For teams already using WorkOS for SSO or directory sync, this is a natural add-on for gradual rollouts without adding another service.
Releases covered
- @clerk/nextjs v7.3.5 patches Next.js App Router middleware bypass vulnerability
- Clerk JavaScript SDK @clerk/backend@3.4.8 fixes JWT validation and requires header type
- Clerk UI v1.10.0 adds monospace font customization and expands SSO configuration
- Clerk Localizations v4.6.4 adds SAML configuration UI steps
- Clerk JavaScript SDK @clerk/shared@4.12.0 adds pricing table Popular badge and SAML config modes
- Clerk JavaScript SDK v6.11.1 restores query client backward compatibility
- Clerk JavaScript SDK v6.11.0 adds user metadata updates and fixes SSO configuration
- @clerk/react v6.6.4 allows unstyled button components to accept React elements as arrays