7.1
CVE-2026-39976
- EPSS 0.29%
- Veröffentlicht 09.04.2026 17:16:31
- Zuletzt bearbeitet 02.06.2026 17:58:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.204 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.1 | 1.8 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/laravel/passport/issues/1900
https://github.com/laravel/passport/pull/1901
https://github.com/laravel/passport/pull/1902
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996