Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
AnalysisAI
Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.
Technical ContextAI
Root cause: missing user identifier validation in token guard chain. oauth2-server populates sub with client_id per spec; Passport guard invokes retrieveById(sub) without type checking, causing resolution against user table instead of client table (CWE-287). Cross-scope confusion between client and user identity domains enables privilege escalation from M2M context to user session.
RemediationAI
Vendor-released patch: upgrade to Laravel Passport 13.7.1 immediately. Fixed versions implement sub claim validation to prevent client identifier resolution against user models. Upstream fixes available via PR #1901 and PR #1902 per GitHub advisory GHSA-349c-2h2f-mxf6 (https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6). Temporary workaround: disable client_credentials grant type if M2M functionality not required; implement custom token guard middleware enforcing explicit client/user identifier segregation. Review audit logs for anomalous user authentication patterns matching known client IDs to detect prior exploitation. No configuration-based mitigation exists-code-level patch mandatory.
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1)
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.
This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploit
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20970
GHSA-349c-2h2f-mxf6