GHSA-349C-2H2F-MXF6
Vulnerability from github – Published: 2026-04-08 19:57 – Updated: 2026-04-13 17:48Impact
Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.
Usage of EnsureClientIsResourceOwner middleware together with Passport::$clientUuids set to false, can result in resolving the user instead, as stated in the documentation.
The underlying OAuth2 server sets the token's sub claim to the client's identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user's integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client's ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.
Patches
Patched in v13.7.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Disallow usage of client_credentials.
References
- https://github.com/laravel/passport/issues/1900
- https://github.com/laravel/passport/pull/1901
- https://github.com/laravel/passport/pull/1902
- https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/passport"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39976"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:57:55Z",
"nvd_published_at": "2026-04-09T17:16:31Z",
"severity": "HIGH"
},
"details": "### Impact\nAuthentication Bypass for `client_credentials` tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there\u0027s no user). The token guard then passes this value to retrieveById() without validating it\u0027s actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.\n\n\nUsage of `EnsureClientIsResourceOwner` middleware together with `Passport::$clientUuids` set to `false`, can result in resolving the user instead, as stated in the [documentation](https://laravel.com/docs/13.x/passport#:~:text=The%20underlying%20OAuth2,client%20credentials%20token). \n\n\u003e The [underlying OAuth2 server](https://oauth2.thephpleague.com/database-setup/#:~:text=Please%20note%20that,the%20bearer%20token.) sets the token\u0027s sub claim to the client\u0027s identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user\u0027s integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client\u0027s ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.\n\n### Patches\nPatched in v13.7.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nDisallow usage of `client_credentials`. \n\n\n### References\n- https://github.com/laravel/passport/issues/1900\n- https://github.com/laravel/passport/pull/1901\n- https://github.com/laravel/passport/pull/1902\n- https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996",
"id": "GHSA-349c-2h2f-mxf6",
"modified": "2026-04-13T17:48:46Z",
"published": "2026-04-08T19:57:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39976"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/issues/1900"
},
{
"type": "WEB",
"url": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/pull/1901"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/pull/1902"
},
{
"type": "PACKAGE",
"url": "https://github.com/laravel/passport"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.