CVE-2026-39976
HIGHLaravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Title source: cnaDescription
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Scores
CVSS v3
7.1
EPSS
0.0006
EPSS Percentile
20.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Details
CWE
CWE-287
Status
published
Products (2)
laravel/passport
13.0.0 - 13.7.1Packagist
laravel/passport
>= 13.0.0, < 13.7.1
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026