Mohzubiri

**Name of the Vulnerable Software and Affected Versions** Laravel Passport versions 13.0.0 through 13.7.0 **Description** Laravel Passport, which provides OAuth2 server support to Laravel, contains an authentication bypass issue for `client credentials` tokens. The `league/oauth2-server` library sets the JWT `sub` claim to the client identifier. The token guard then uses this value with the `retrieveById()` function without verifying it corresponds to a user identifier, potentially authenticating as an actual user. This allows any machine-to-machine token to authenticate as a user. **Recommendations** Update to Laravel Passport version 13.7.1 or later.