CVE-2026-39976

HIGH NVD

CVSS Score 7.1

Severity HIGH

Published Apr 09, 2026

Vendor unknown

Description

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

References

https://github.com/laravel/passport/issues/1900
https://github.com/laravel/passport/pull/1901
https://github.com/laravel/passport/pull/1902
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996