Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.
Usage of EnsureClientIsResourceOwner middleware together with Passport::$clientUuids set to false, can result in resolving the user instead, as stated in the documentation.
> The underlying OAuth2 server sets the token's sub claim to the client's identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user's integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client's ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.
Patched in v13.7.1
Is there a way for users to fix or remediate the vulnerability without upgrading?
Disallow usage of client_credentials.
| Score | Percentile |
|---|---|
| 0.07% | 20.23% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-349c-2h2f-mxf6 ↗ |
| CVE | CVE-2026-39976 ↗ |
| CWE id | Name |
|---|---|
| CWE-287 | Improper Authentication |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | laravel/passport | >= 13.0.0, < 13.7.1 | 13.7.1 | — |