Cyber Resilience

CVE-2026-39976

HighPublic PoCUpdated

Published: 09 April 2026

Published
09 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0011 29.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39976 is a high-severity Improper Authentication (CWE-287) vulnerability in Laravel Passport. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-4 (Identifier Management).

Deeper analysis

CVE-2026-39976 is an authentication bypass vulnerability in Laravel Passport, a package that provides OAuth2 server support for Laravel applications. It affects versions from 13.0.0 through 13.7.0, stemming from an interaction with the league/oauth2-server library. In client_credentials grant flows, the library sets the JWT subject (sub) claim to the client identifier since no user is involved. Laravel Passport's token guard then passes this client ID directly to the user provider's retrieveById() method without validating whether it corresponds to an actual user ID, potentially resolving and authenticating an unrelated real user account.

An attacker with low privileges (PR:L) who possesses a valid machine-to-machine client_credentials token can exploit this over the network (AV:N) without user interaction (UI:N). By crafting or using a token where the client ID matches an existing user ID, the attacker authenticates as that user, achieving high confidentiality impact (C:H) such as accessing sensitive user data, with low integrity impact (I:L) and no availability impact (A:N). The attack requires high complexity (AC:H) due to the need for ID collision, but scope changes to changed components (S:C), earning a CVSS v3.1 base score of 7.1 and mapping to CWE-287 (Improper Authentication).

Advisories and patches, detailed in GitHub security advisory GHSA-349c-2h2f-mxf6 and related issues/pull requests in laravel/passport and thephpleague/oauth2-server repositories, confirm the fix in Laravel Passport version 13.7.1. Security practitioners should upgrade to 13.7.1 or later to mitigate the issue, as no workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard…

more

then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The authentication bypass in Laravel Passport's OAuth2 token handling directly enables network exploitation of a public-facing web application to achieve unauthorized user authentication and data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27515Same vendor: Laravel
CVE-2025-54068Same vendor: Laravel
CVE-2026-23524Same vendor: Laravel
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287

Affected Assets

laravel
passport
13.0.0 — 13.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating known flaws such as the Laravel Passport authentication bypass by applying patches like version 13.7.1 directly prevents exploitation of client_credentials tokens authenticating as users.

prevent

Managing identifiers to minimize collisions between client and user ID spaces prevents client_credentials JWT sub claims from resolving to real user accounts.

prevent

Enforcing unique identification and authentication for organizational users prevents token guards from improperly validating client identifiers as user credentials.

References