CVE-2026-39976

HIGH 7.1

Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

CWE	CWE-287
Vendor	laravel
Product	passport
Published	Apr 9, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for laravel passport

Be the first to know when new high vulnerabilities affecting laravel passport are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

laravel / passport

>= 13.0.0, < 13.7.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6 github.com: https://github.com/laravel/passport/issues/1900 github.com: https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996 github.com: https://github.com/laravel/passport/pull/1901 github.com: https://github.com/laravel/passport/pull/1902