Laravel Passport OAuth2 Bypass Client_Credentials Tokens <13.7.1
CVE-2026-39976 Published on April 9, 2026

Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

NVD

Vulnerability Analysis

CVE-2026-39976 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2026-39976 has been classified to as an authentification vulnerability or weakness.


Affected Versions

laravel passport Version >= 13.0.0, < 13.7.1 is affected by CVE-2026-39976