Description

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

INFO

Published Date :

2026-04-09T16:50:42.326Z

Last Modified :

2026-04-09T19:31:53.801Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39976 vulnerability.

Vendors Products
Laravel
  • Passport
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39976.

URL Resource
https://github.com/laravel/passport/issues/1900 cve-icon cve-icon
https://github.com/laravel/passport/pull/1901 cve-icon cve-icon
https://github.com/laravel/passport/pull/1902 cve-icon cve-icon
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6 cve-icon cve-icon
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact