releases.shpreview
Home/Collections/Auth & Identity/Week of May 11, 2026

Clerk patches a Next.js bypass, ships SSO UI, and adds metadata updates

May 11–17, 2026

The week's biggest story is a high-severity Next.js App Router middleware bypass fixed in Clerk's Next.js SDK, while across the JavaScript monorepo the team shipped SAML SSO configuration steps, user metadata APIs, new UI customization options, and a WorkOS feature flags runtime client.

Next.js middleware bypass patched; JWT validation hardened

The most critical release this week is Clerk's @clerk/nextjs v7.3.5, which bumps the next dependency to 15.5.18 to fix GHSA-26hh-7cqf-hhc6 — a high-severity (CVSS 7.5) middleware/proxy bypass in App Router applications via segment-prefetch routes. If you use the App Router, upgrade to Next.js 15.5.18 or 16.2.6 immediately; versions 16.0.0 through 16.2.5 remain affected. On the backend side, @clerk/backend@3.4.8 fixed JWT array audience validation and now requires a configured JWT header type, closing two security-adjacent gaps in token verification.

SAML SSO configuration UI advances

Across multiple packages, the experimental <__experimental_ConfigureSSO /> component gained real functionality. Clerk UI v1.10.0 and v1.11.0 added a two-mode segmented control for SAML configuration (metadata URL vs. manual entry), provider selection tiles for Okta Workforce and Custom SAML, and email verification steps. The localizations package followed with the corresponding locale keys. @clerk/shared@4.12.0 and the core JavaScript SDK v6.11.1 landed confirmation and test steps for the same flow. If you've been waiting to roll out self-service SAML configuration to your users, this week's releases make it substantially more usable.

User metadata API and developer experience

JavaScript SDK v6.11.0 introduced user.updateMetadata(), letting you update the current user's metadata by merging with existing values — no more read-modify-write cycles. The same release fixed dev browser recovery by clearing stale partitioned and non-partitioned cookie variants, and added monotonic token replacement to prevent stale tokens in multi-tab scenarios. For React developers, @clerk/react v6.6.4 now allows unstyled button components to accept React elements passed as arrays. Meanwhile, Clerk UI gained a fontFamilyMono appearance variable (exposed as --clerk-font-family-mono) and inline <bold> markup support in localization values, so translators can write 'Agree to <bold>Terms</bold>' in a single key instead of splitting fragments.

Feature flags runtime from WorkOS

Outside the Clerk monorepo, WorkOS shipped a runtime client for its Feature Flags product within the Node SDK. The client keeps an in-memory view of flags in sync, evaluates synchronously with no network call per check, and supports event-driven flag state changes. For teams already using WorkOS for SSO or directory sync, this is a natural add-on for gradual rollouts without adding another service.

Releases covered