Vulnerability Details CVE-2026-39976
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.4%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2026-39976
-
cpe:2.3:a:laravel:passport:13.0.0
-
cpe:2.3:a:laravel:passport:13.0.1
-
cpe:2.3:a:laravel:passport:13.0.2
-
cpe:2.3:a:laravel:passport:13.0.3
-
cpe:2.3:a:laravel:passport:13.0.4
-
cpe:2.3:a:laravel:passport:13.0.5
-
cpe:2.3:a:laravel:passport:13.0.6
-
cpe:2.3:a:laravel:passport:13.1.0
-
cpe:2.3:a:laravel:passport:13.2.0
-
cpe:2.3:a:laravel:passport:13.2.1
-
cpe:2.3:a:laravel:passport:13.2.2
-
cpe:2.3:a:laravel:passport:13.3.0
-
cpe:2.3:a:laravel:passport:13.4.0
-
cpe:2.3:a:laravel:passport:13.4.1
-
cpe:2.3:a:laravel:passport:13.4.2
-
cpe:2.3:a:laravel:passport:13.4.3
-
cpe:2.3:a:laravel:passport:13.4.4
-
cpe:2.3:a:laravel:passport:13.5.0
-
cpe:2.3:a:laravel:passport:13.6.0
-
cpe:2.3:a:laravel:passport:13.7.0