GHSA-349c-2h2f-mxf6

Suggest an improvement
Source
https://github.com/advisories/GHSA-349c-2h2f-mxf6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-349c-2h2f-mxf6/GHSA-349c-2h2f-mxf6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-349c-2h2f-mxf6
Published
2026-04-08T19:57:55Z
Modified
2026-04-08T20:02:43.538402Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens
Details

Impact

Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.

Usage of EnsureClientIsResourceOwner middleware together with Passport::$clientUuids set to false, can result in resolving the user instead, as stated in the documentation.

The underlying OAuth2 server sets the token's sub claim to the client's identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user's integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client's ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.

Patches

Patched in v13.7.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Disallow usage of client_credentials.

References

  • https://github.com/laravel/passport/issues/1900
  • https://github.com/laravel/passport/pull/1901
  • https://github.com/laravel/passport/pull/1902
  • https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996
Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:57:55Z"
}
References

Affected packages

Packagist / laravel/passport

Package

Name
laravel/passport
Purl
pkg:composer/laravel/passport

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
13.7.1

Affected versions

v0.*
v0.1.0
v0.1.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v3.*
v3.0.0
v3.0.1
v3.0.2
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.1.0
v7.2.0
v7.2.1
v7.2.2
v7.3.0
v7.3.1
v7.3.2
v7.3.3
v7.3.4
v7.3.5
v7.4.0
v7.4.1
v7.5.0
v7.5.1
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.1.0
v8.2.0
v8.3.0
v8.3.1
v8.4.0
v8.4.1
v8.4.2
v8.4.3
v8.4.4
v8.5.0
v9.*
v9.0.0
v9.0.1
v9.1.0
v9.2.0
v9.2.1
v9.2.2
v9.3.0
v9.3.1
v9.3.2
v9.4.0
v10.*
v10.0.0
v10.0.1
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.1.4
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.3.1
v10.3.2
v10.3.3
v10.4.0
v10.4.1
v10.4.2
v11.*
v11.0.0
v11.0.1
v11.1.0
v11.2.0
v11.2.1
v11.3.0
v11.3.1
v11.4.0
v11.5.0
v11.5.1
v11.6.0
v11.6.1
v11.7.0
v11.8.0
v11.8.1
v11.8.2
v11.8.3
v11.8.4
v11.8.5
v11.8.6
v11.8.7
v11.8.8
v11.9.0
v11.9.1
v11.9.2
v11.10.0
v11.10.1
v11.10.2
v11.10.4
v11.10.5
v11.10.6
v12.*
v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.1.0
v12.2.0
v12.2.1
v12.3.0
v12.3.1
v12.4.0
v12.4.1
v12.4.2
v12.4.3
v13.*
v13.0.0
v13.0.1
v13.0.2
v13.0.3
v13.0.4
v13.0.5
v13.0.6
v13.1.0
v13.2.0
v13.2.1
v13.2.2
v13.3.0
v13.4.0
v13.4.1
v13.4.2
v13.4.3
v13.4.4
v13.5.0
v13.6.0
v13.7.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-349c-2h2f-mxf6/GHSA-349c-2h2f-mxf6.json"