CVE-2026-39976
Authentication Bypass in Laravel Passport via client_credentials Tokens
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| laravel | passport | to 13.7.1 (exc) |
| thephpleague | oauth2-server | 9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39976 is an authentication bypass vulnerability in Laravel Passport versions from 13.0.0 to before 13.7.1. It arises because the OAuth2 server library (league/oauth2-server) sets the JWT 'sub' (subject) claim to the client identifier for client_credentials tokens, even though no user is associated with these tokens.
Laravel Passport's TokenGuard then uses this 'sub' claim value to retrieve a user by calling retrieveById() without verifying if this identifier actually corresponds to a user. Because of this, a machine-to-machine client_credentials token can inadvertently authenticate as an unrelated real user.
This happens especially when user IDs are integers and client IDs are UUIDs or integers that can be implicitly cast by the database, causing mismatches and unintended user impersonation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker possessing a client_credentials token to impersonate an unrelated real user in the system.
Because the token's client identifier is misinterpreted as a user identifier, the attacker can gain unauthorized access to user-specific resources and data.
This can lead to unauthorized data exposure, privilege escalation, and bypass of intended authentication controls, potentially compromising confidentiality and integrity of user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves client_credentials tokens being misinterpreted as user tokens due to improper validation of the JWT sub claim. Detection involves monitoring OAuth2 token usage and verifying whether client_credentials tokens are being used to authenticate as actual users.
You can detect potential exploitation by checking authentication logs for unexpected user authentications originating from client_credentials tokens.
Suggested commands include querying your authentication logs or database for tokens issued with the client_credentials grant and verifying if any user sessions correspond to these tokens.
- Check issued tokens with client_credentials grant type in your OAuth token storage.
- Query your user sessions or authentication logs for sessions authenticated with tokens whose sub claim matches client IDs rather than user IDs.
- If using MySQL, look for cases where client UUIDs are implicitly cast to integers matching user IDs, e.g., by running SQL queries to find user IDs matching numeric prefixes of client IDs.
Specific commands depend on your environment, but for example, in Laravel you might run database queries like: SELECT * FROM oauth_access_tokens WHERE grant_type = 'client_credentials'; and cross-reference with user IDs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Laravel Passport to version 13.7.1 or later, where this vulnerability is fixed.
Before upgrading, as a workaround, you should disallow the use of client_credentials tokens to prevent unauthorized user impersonation.
Additional mitigation steps include:
- Ensure that the TokenGuard's authenticateViaBearerToken() method properly validates that the oauth_user_id corresponds to a real user and not a client ID.
- If using integer IDs for users and clients, be aware of implicit type casting issues and consider migrating to UUIDs for client IDs to avoid collisions.
- Apply patches or pull requests that scope the user ID and client ID checks correctly, such as those merged in pull requests #1901 and #1902.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-39976 allows a machine-to-machine client credentials token to inadvertently authenticate as an unrelated real user due to improper validation of the JWT subject claim. This user impersonation flaw can lead to unauthorized access to user data.
Such unauthorized access and user impersonation can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Specifically, if an attacker uses a client credentials token to access data as another user, it could lead to confidentiality breaches and non-compliance with regulatory requirements for user authentication and data privacy.
Therefore, this vulnerability poses a significant risk to compliance with standards that mandate secure authentication and authorization mechanisms.