CVE-2026-39976
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Laravel Passport via client_credentials Tokens

Publication date: 2026-04-09

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39976
EUVD
EUVD-2026-20970
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
laravel passport From 13.0.0 (inc) to 13.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in CVE-2026-39976 allows a machine-to-machine client credentials token to inadvertently authenticate as an unrelated real user due to improper validation of the JWT subject claim. This user impersonation flaw can lead to unauthorized access to user data.

Such unauthorized access and user impersonation can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Specifically, if an attacker uses a client credentials token to access data as another user, it could lead to confidentiality breaches and non-compliance with regulatory requirements for user authentication and data privacy.

Therefore, this vulnerability poses a significant risk to compliance with standards that mandate secure authentication and authorization mechanisms.

Executive Summary

CVE-2026-39976 is an authentication bypass vulnerability in Laravel Passport versions from 13.0.0 to before 13.7.1. It arises because the OAuth2 server library (league/oauth2-server) sets the JWT 'sub' (subject) claim to the client identifier for client_credentials tokens, even though no user is associated with these tokens.

Laravel Passport's TokenGuard then uses this 'sub' claim value to retrieve a user by calling retrieveById() without verifying if this identifier actually corresponds to a user. Because of this, a machine-to-machine client_credentials token can inadvertently authenticate as an unrelated real user.

This happens especially when user IDs are integers and client IDs are UUIDs or integers that can be implicitly cast by the database, causing mismatches and unintended user impersonation.

Impact Analysis

This vulnerability can allow an attacker possessing a client_credentials token to impersonate an unrelated real user in the system.

Because the token's client identifier is misinterpreted as a user identifier, the attacker can gain unauthorized access to user-specific resources and data.

This can lead to unauthorized data exposure, privilege escalation, and bypass of intended authentication controls, potentially compromising confidentiality and integrity of user data.

Detection Guidance

This vulnerability involves client_credentials tokens being misinterpreted as user tokens due to improper validation of the JWT sub claim. Detection involves monitoring OAuth2 token usage and verifying whether client_credentials tokens are being used to authenticate as actual users.

You can detect potential exploitation by checking authentication logs for unexpected user authentications originating from client_credentials tokens.

Suggested commands include querying your authentication logs or database for tokens issued with the client_credentials grant and verifying if any user sessions correspond to these tokens.

  • Check issued tokens with client_credentials grant type in your OAuth token storage.
  • Query your user sessions or authentication logs for sessions authenticated with tokens whose sub claim matches client IDs rather than user IDs.
  • If using MySQL, look for cases where client UUIDs are implicitly cast to integers matching user IDs, e.g., by running SQL queries to find user IDs matching numeric prefixes of client IDs.

Specific commands depend on your environment, but for example, in Laravel you might run database queries like: SELECT * FROM oauth_access_tokens WHERE grant_type = 'client_credentials'; and cross-reference with user IDs.

Mitigation Strategies

The primary mitigation is to upgrade Laravel Passport to version 13.7.1 or later, where this vulnerability is fixed.

Before upgrading, as a workaround, you should disallow the use of client_credentials tokens to prevent unauthorized user impersonation.

Additional mitigation steps include:

  • Ensure that the TokenGuard's authenticateViaBearerToken() method properly validates that the oauth_user_id corresponds to a real user and not a client ID.
  • If using integer IDs for users and clients, be aware of implicit type casting issues and consider migrating to UUIDs for client IDs to avoid collisions.
  • Apply patches or pull requests that scope the user ID and client ID checks correctly, such as those merged in pull requests #1901 and #1902.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart