Skip to main content

Passport CVE-2026-39976

| EUVDEUVD-2026-20970 HIGH
Improper Authentication (CWE-287)
2026-04-09 GitHub_M GHSA-349c-2h2f-mxf6
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 17:15 euvd
EUVD-2026-20970
Analysis Generated
Apr 09, 2026 - 17:15 vuln.today
CVE Published
Apr 09, 2026 - 16:50 nvd
HIGH 7.1

DescriptionGitHub Advisory

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

AnalysisAI

Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.

Technical ContextAI

Root cause: missing user identifier validation in token guard chain. oauth2-server populates sub with client_id per spec; Passport guard invokes retrieveById(sub) without type checking, causing resolution against user table instead of client table (CWE-287). Cross-scope confusion between client and user identity domains enables privilege escalation from M2M context to user session.

RemediationAI

Vendor-released patch: upgrade to Laravel Passport 13.7.1 immediately. Fixed versions implement sub claim validation to prevent client identifier resolution against user models. Upstream fixes available via PR #1901 and PR #1902 per GitHub advisory GHSA-349c-2h2f-mxf6 (https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6). Temporary workaround: disable client_credentials grant type if M2M functionality not required; implement custom token guard middleware enforcing explicit client/user identifier segregation. Review audit logs for anomalous user authentication patterns matching known client IDs to detect prior exploitation. No configuration-based mitigation exists-code-level patch mandatory.

Share

CVE-2026-39976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy