High severity7.1NVD Advisory· Published Apr 9, 2026· Updated Apr 13, 2026
CVE-2026-39976
CVE-2026-39976
Description
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/passportPackagist | >= 13.0.0, < 13.7.1 | 13.7.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-349c-2h2f-mxf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39976ghsaADVISORY
- github.com/laravel/passport/issues/1900nvdWEB
- github.com/laravel/passport/pull/1901nvdWEB
- github.com/laravel/passport/pull/1902nvdWEB
- github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6nvdWEB
- github.com/thephpleague/oauth2-server/issues/1456nvdWEB
News mentions
0No linked articles in our index yet.