Authentication Bypass Vulnerability in Laravel Passport OAuth2 Server
CVE-2026-39976

7.1HIGH

Key Information:

Vendor

Laravel

Status
Passport
Vendor
CVE Published:
9 April 2026

What is CVE-2026-39976?

An authentication bypass vulnerability has been identified in the Laravel Passport package, affecting OAuth2 tokens generated from versions 13.0.0 to prior to 13.7.1. This issue arises from the way that the league/oauth2-server library sets the JWT subject claim to the client identifier. Consequently, when the token guard retrieves this value without proper validation of a legitimate user identifier, it can unintentionally authenticate machine-to-machine tokens as actual users. This flaw poses a significant security risk, allowing unauthorized access to user accounts. The vulnerability has been addressed in Laravel Passport version 13.7.1.

Affected Version(s)

passport >= 13.0.0, < 13.7.1

References

https://github.com/laravel/passport/security/advisories/G...
x_refsource_CONFIRM
https://github.com/laravel/passport/issues/1900
x_refsource_MISC
https://github.com/thephpleague/oauth2-server/issues/1456...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.