Description
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Published: 2026-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

Laravel Passport’s TokenGuard incorrectly treats the OAuth2 client identifier as a user identifier. When a client_credentials token is issued, the library sets the JWT "sub" claim to the client ID, and the guard passes this directly to the user lookup without verifying it refers to a real user. The result is that a machine‑to‑machine token can authenticate as an unrelated real user, enabling unauthorized access and identity spoofing (CWE‑287).

Affected Systems

All installations of Laravel Passport between versions 13.0.0 and 13.7.0, inclusive, are vulnerable. The issue originates in the league/oauth2-server library that Passport depends on. Any application using these versions and issuing client‑credential tokens is affected.

Risk and Exploitability

The flaw has a CVSS base score of 7.1, indicating medium‑to‑high severity. Exploit probability data is not available, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker must acquire a valid client_credentials token, typically through compromise of client credentials or misconfiguration, and then use it to access resources that expect a genuine authenticated user. The attack does not require external exploitation beyond the authentication subsystem.

Generated by OpenCVE AI on April 9, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Laravel Passport to version 13.7.1 or later
  • Verify that machine‑to‑machine endpoints do not treat the client identifier as a user identity
  • Disable or restrict client‑credential tokens for operations that rely on authenticated user context
  • Monitor authentication logs for unexpected user identities

Generated by OpenCVE AI on April 9, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-349c-2h2f-mxf6 Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Laravel
Laravel passport
Vendors & Products Laravel
Laravel passport

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Title Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Laravel Passport
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T19:31:53.801Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39976

cve-icon Vulnrichment

Updated: 2026-04-09T17:38:05.372Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-09T17:16:31.267

Modified: 2026-04-13T15:02:27.760

Link: CVE-2026-39976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:05Z

Weaknesses