Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens

Description

Impact

Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.

Usage of EnsureClientIsResourceOwner middleware together with Passport::$clientUuids set to false, can result in resolving the user instead, as stated in the documentation.

> The underlying OAuth2 server sets the token's sub claim to the client's identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user's integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client's ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.

Patches

Patched in v13.7.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Disallow usage of client_credentials.

References

  • https://github.com/laravel/passport/issues/1900
  • https://github.com/laravel/passport/pull/1901
  • https://github.com/laravel/passport/pull/1902
  • https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-08 19:57:55 UTC
Updated
2026-04-13 17:48:47 UTC
GitHub reviewed
2026-04-08 19:57:55 UTC
NVD published
2026-04-09

EPSS Score

Score Percentile
0.07% 20.23%

CVSS Scores

Base score Version Severity Vector
7.1 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-287 Improper Authentication

Credits

  • pushpak1300 (remediation_developer)
  • hafezdivandari (remediation_reviewer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer laravel/passport >= 13.0.0, < 13.7.1 13.7.1

References

cvelogic Threat Intelligence