High severity7.1NVD Advisory· Published Apr 9, 2026· Updated Jun 2, 2026
CVE-2026-39976
CVE-2026-39976
Description
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/passportPackagist | >= 13.0.0, < 13.7.1 | 13.7.1 |
Affected products
3Patches
Vulnerability mechanics
References
7- github.com/laravel/passport/pull/1901nvdIssue TrackingPatchWEB
- github.com/laravel/passport/pull/1902nvdIssue TrackingPatchWEB
- github.com/thephpleague/oauth2-server/issues/1456nvdIssue TrackingPatchWEB
- github.com/laravel/passport/issues/1900nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-349c-2h2f-mxf6ghsaADVISORY
- github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39976ghsaADVISORY
News mentions
0No linked articles in our index yet.