7.1

CVE-2026-39976

Exploit

Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LaravelPassport SwPlatformlaravel Version >= 13.0.0 < 13.7.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.204
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.1 1.8 4.7
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/laravel/passport/issues/1900
Exploit
Issue Tracking
https://github.com/laravel/passport/pull/1901
Patch
Issue Tracking
https://github.com/laravel/passport/pull/1902
Patch
Issue Tracking
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6
Vendor Advisory
Mitigation
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996
Patch
Issue Tracking