Platform
laravel
Component
laravel/passport
Fixed in
13.0.1
13.7.1
CVE-2026-39976 describes an authentication bypass vulnerability affecting Laravel Passport versions 13.7.0 and earlier. This flaw allows machine-to-machine tokens to potentially authenticate as legitimate users, compromising user accounts. The vulnerability stems from how the league/oauth2-server library handles the JWT sub claim and the subsequent validation process within the token guard. A fix is available in version 13.7.1.
CVE-2026-39976 is an authentication bypass vulnerability in Laravel, specifically related to the use of clientcredentials tokens and the league/oauth2-server library. The vulnerability lies in how the library sets the JWT 'sub' (subject) claim. In clientcredentials token scenarios (where no user is associated), the library uses the client identifier as the value of 'sub'. The Laravel token guard, without proper validation, passes this value to retrieveById(), potentially resulting in the retrieval of a real, unexpected user. This allows a machine-to-machine token, created for a specific client, to inadvertently authenticate as a legitimate user of the system. The vulnerability is exacerbated when using the EnsureClientIsResourceOwner middleware along with Passport::$clientUuids configured.
An attacker could exploit this vulnerability by generating a client_credentials token for an OAuth2 client. Due to the way the 'sub' claim is set, the attacker could manipulate the token so that the Laravel token guard attempts to retrieve a real user by their client ID. If the client ID matches an existing user ID, the attacker could gain unauthorized access to that user's account. The likelihood of success depends on whether the client ID matches an existing user ID. The EnsureClientIsResourceOwner middleware and the Passport::$clientUuids configuration can influence the attack surface, restricting which clients can be used for this type of attack.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39976 is to upgrade to Laravel version 13.7.1 or higher. This update corrects the vulnerability by properly validating the 'sub' value in the JWT token during the authentication process. Additionally, review the configuration of Passport::$clientUuids to ensure that only authorized client UUIDs are included. If an immediate upgrade is not possible, a custom validation can be implemented in the token guard to verify that the 'sub' value corresponds to a valid user identifier before calling retrieveById(). Applying this fix as soon as possible is crucial to prevent potential authentication bypass attacks.
Update Laravel Passport to version 13.7.1 or higher to mitigate the authentication bypass vulnerability. This update fixes the issue by correctly validating user identifiers when generating client_credentials tokens.
Vulnerability analysis and critical alerts directly to your inbox.
It's an OAuth2 token type used for machine-to-machine application authentication, where no end-user is directly involved.
This version contains the fix for CVE-2026-39976, which mitigates the authentication bypass vulnerability.
It's a configuration in Laravel Passport that defines a list of authorized client UUIDs. Incorrect configuration can increase the risk of exploitation.
If you are using Laravel Passport with client_credentials tokens and have not upgraded to version 13.7.1 or higher, you are likely vulnerable.
Implement a custom validation in the token guard to verify that the 'sub' value is a valid user identifier.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.