{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39976", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T16:50:42.326Z", "dateUpdated": "2026-04-09T19:31:53.801Z"}, "containers": {"cna": {"title": "Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6"}, {"name": "https://github.com/laravel/passport/issues/1900", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/issues/1900"}, {"name": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996"}, {"name": "https://github.com/laravel/passport/pull/1901", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/pull/1901"}, {"name": "https://github.com/laravel/passport/pull/1902", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/pull/1902"}], "affected": [{"vendor": "laravel", "product": "passport", "versions": [{"version": ">= 13.0.0, < 13.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:50:42.326Z"}, "descriptions": [{"lang": "en", "value": "Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1."}], "source": {"advisory": "GHSA-349c-2h2f-mxf6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T17:38:00.854614Z", "id": "CVE-2026-39976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:31:53.801Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39976", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T16:50:42.326Z", "dateUpdated": "2026-04-09T19:31:53.801Z"}, "containers": {"cna": {"title": "Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6"}, {"name": "https://github.com/laravel/passport/issues/1900", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/issues/1900"}, {"name": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996"}, {"name": "https://github.com/laravel/passport/pull/1901", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/pull/1901"}, {"name": "https://github.com/laravel/passport/pull/1902", "tags": ["x_refsource_MISC"], "url": "https://github.com/laravel/passport/pull/1902"}], "affected": [{"vendor": "laravel", "product": "passport", "versions": [{"version": ">= 13.0.0, < 13.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:50:42.326Z"}, "descriptions": [{"lang": "en", "value": "Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1."}], "source": {"advisory": "GHSA-349c-2h2f-mxf6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T17:38:00.854614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:38:05.372Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1."}], "id": "CVE-2026-39976", "lastModified": "2026-04-09T17:16:31.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:31.267", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/laravel/passport/issues/1900"}, {"source": "security-advisories@github.com", "url": "https://github.com/laravel/passport/pull/1901"}, {"source": "security-advisories@github.com", "url": "https://github.com/laravel/passport/pull/1902"}, {"source": "security-advisories@github.com", "url": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6"}, {"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,13.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "passport", "source": "cna", "vendor": "laravel"}, "product": "passport", "vendor": "laravel"}], "analysis": {"en": {"generated_at": "2026-04-09T18:50:30.621002+00:00", "value": {"mitigation_remediation": ["Upgrade Laravel Passport to version 13.7.1 or later", "Verify that machine\u2011to\u2011machine endpoints do not treat the client identifier as a user identity", "Disable or restrict client\u2011credential tokens for operations that rely on authenticated user context", "Monitor authentication logs for unexpected user identities"], "summary": {"action": "Patch Now", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All installations of Laravel Passport between versions 13.0.0 and 13.7.0, inclusive, are vulnerable. The issue originates in the league/oauth2-server library that Passport depends on. Any application using these versions and issuing client\u2011credential tokens is affected.", "description_and_impact": "Laravel Passport\u2019s TokenGuard incorrectly treats the OAuth2 client identifier as a user identifier. When a client_credentials token is issued, the library sets the JWT \"sub\" claim to the client ID, and the guard passes this directly to the user lookup without verifying it refers to a real user. The result is that a machine\u2011to\u2011machine token can authenticate as an unrelated real user, enabling unauthorized access and identity spoofing (CWE\u2011287).", "risk_and_exploitability": "The flaw has a CVSS base score of 7.1, indicating medium\u2011to\u2011high severity. Exploit probability data is not available, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker must acquire a valid client_credentials token, typically through compromise of client credentials or misconfiguration, and then use it to access resources that expect a genuine authenticated user. The attack does not require external exploitation beyond the authentication subsystem."}}}}, "created": "2026-04-10T08:52:53.962495+00:00", "updated": "2026-04-10T09:32:05.726866+00:00", "vendors": ["laravel", "laravel$PRODUCT$passport"]}