CVE-2026-39976

Source
https://cve.org/CVERecord?id=CVE-2026-39976
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39976.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39976
Aliases
Published
2026-04-09T16:50:42.326Z
Modified
2026-07-08T08:05:08.910131327Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Details

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39976.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/laravel/passport

Affected ranges

Type
GIT
Repo
https://github.com/laravel/passport
Events
Database specific
{
    "cpe": "cpe:2.3:a:laravel:passport:*:*:*:*:*:laravel:*:*",
    "extracted_events": [
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.7.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v13.*
v13.0.0
v13.0.1
v13.0.2
v13.0.3
v13.0.4
v13.0.5
v13.0.6
v13.1.0
v13.2.0
v13.2.1
v13.2.2
v13.3.0
v13.4.0
v13.4.1
v13.4.2
v13.4.3
v13.4.4
v13.5.0
v13.6.0
v13.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39976.json"