Plattform
laravel
Komponente
laravel/passport
Behoben in
13.0.1
13.7.1
CVE-2026-39976 describes an authentication bypass vulnerability affecting Laravel Passport versions 13.7.0 and earlier. This flaw allows machine-to-machine tokens to potentially authenticate as legitimate users, compromising user accounts. The vulnerability stems from how the league/oauth2-server library handles the JWT sub claim and the subsequent validation process within the token guard. A fix is available in version 13.7.1.
The primary impact of CVE-2026-39976 is unauthorized access to user accounts. Attackers can leverage client credentials tokens to impersonate legitimate users, gaining access to sensitive data and performing actions on their behalf. This is particularly concerning in environments where client applications have elevated privileges. The vulnerability arises because the JWT sub claim, which should identify the user, is instead set to the client identifier. The token guard then uses this client identifier to retrieve user information without proper validation, potentially resolving an unrelated real user. This bypass circumvents standard authentication controls, allowing attackers to gain unauthorized access.
CVE-2026-39976 was publicly disclosed on 2026-04-08. The vulnerability's impact is significant due to the potential for unauthorized user access. While no public exploits have been confirmed at the time of writing, the ease of exploitation makes it a likely target for malicious actors. The vulnerability is not currently listed on CISA KEV, but its severity warrants monitoring.
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39976 is to upgrade Laravel Passport to version 13.7.1 or later. Prior to upgrading, assess the potential impact on existing client applications and consider a phased rollout. If upgrading is not immediately feasible, temporarily disable the EnsureClientIsResourceOwner middleware if it's being used with Passport::$clientUuids set to false. Monitor authentication logs for suspicious activity and implement stricter client credential validation rules where possible. After upgrading, confirm the fix by attempting to generate a client credentials token and verifying that it does not resolve to an unintended user.
Aktualisieren Sie Laravel Passport auf Version 13.7.1 oder höher, um die Authentifizierungs-Bypass-Schwachstelle zu beheben. Dieses Update behebt das Problem, indem es Benutzer-Kennungen bei der Generierung von client_credentials Tokens korrekt validiert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's an OAuth2 token type used for machine-to-machine application authentication, where no end-user is directly involved.
This version contains the fix for CVE-2026-39976, which mitigates the authentication bypass vulnerability.
It's a configuration in Laravel Passport that defines a list of authorized client UUIDs. Incorrect configuration can increase the risk of exploitation.
If you are using Laravel Passport with client_credentials tokens and have not upgraded to version 13.7.1 or higher, you are likely vulnerable.
Implement a custom validation in the token guard to verify that the 'sub' value is a valid user identifier.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.