CVE-2026-39976

Name of the Vulnerable Software and Affected Versions Laravel Passport versions 13.0.0 through 13.7.0

Description Laravel Passport, which provides OAuth2 server support to Laravel, contains an authentication bypass issue for client credentials tokens. The league/oauth2-server library sets the JWT sub claim to the client identifier. The token guard then uses this value with the retrieveById() function without verifying it corresponds to a user identifier, potentially authenticating as an actual user. This allows any machine-to-machine token to authenticate as a user.

Recommendations Update to Laravel Passport version 13.7.1 or later.