CVE-2026-39976
Published: 09 April 2026
Summary
CVE-2026-39976 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-4 (Identifier Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating known flaws such as the Laravel Passport authentication bypass by applying patches like version 13.7.1 directly prevents exploitation of client_credentials tokens authenticating as users.
Managing identifiers to minimize collisions between client and user ID spaces prevents client_credentials JWT sub claims from resolving to real user accounts.
Enforcing unique identification and authentication for organizational users prevents token guards from improperly validating client identifiers as user credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authentication bypass in Laravel Passport's OAuth2 token handling directly enables network exploitation of a public-facing web application to achieve unauthorized user authentication and data access.
NVD Description
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard…
more
then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Deeper analysisAI
CVE-2026-39976 is an authentication bypass vulnerability in Laravel Passport, a package that provides OAuth2 server support for Laravel applications. It affects versions from 13.0.0 through 13.7.0, stemming from an interaction with the league/oauth2-server library. In client_credentials grant flows, the library sets the JWT subject (sub) claim to the client identifier since no user is involved. Laravel Passport's token guard then passes this client ID directly to the user provider's retrieveById() method without validating whether it corresponds to an actual user ID, potentially resolving and authenticating an unrelated real user account.
An attacker with low privileges (PR:L) who possesses a valid machine-to-machine client_credentials token can exploit this over the network (AV:N) without user interaction (UI:N). By crafting or using a token where the client ID matches an existing user ID, the attacker authenticates as that user, achieving high confidentiality impact (C:H) such as accessing sensitive user data, with low integrity impact (I:L) and no availability impact (A:N). The attack requires high complexity (AC:H) due to the need for ID collision, but scope changes to changed components (S:C), earning a CVSS v3.1 base score of 7.1 and mapping to CWE-287 (Improper Authentication).
Advisories and patches, detailed in GitHub security advisory GHSA-349c-2h2f-mxf6 and related issues/pull requests in laravel/passport and thephpleague/oauth2-server repositories, confirm the fix in Laravel Passport version 13.7.1. Security practitioners should upgrade to 13.7.1 or later to mitigate the issue, as no workarounds are specified in the provided references.
Details
- CWE(s)