CVE-2026-39976
HIGHLaravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Title source: cnaDescription
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6
X_Refsource_Misc x_refsource_misc
https://github.com/laravel/passport/issues/1900
X_Refsource_Misc x_refsource_misc
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996
X_Refsource_Misc x_refsource_misc
https://github.com/laravel/passport/pull/1901
X_Refsource_Misc x_refsource_misc
https://github.com/laravel/passport/pull/1902
Scores
CVSS v3
7.1
EPSS
0.0029
EPSS Percentile
20.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (3)
laravel/passport
13.0.0 - 13.7.1Packagist
laravel/passport
13.0.0 - 13.7.1
laravel/passport
>= 13.0.0, < 13.7.1
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026