Broken Authentication in Laravel Passport [CVE-2026-39976]

CVE-2026-39976 describes a broken authentication pathway in Laravel Passport where, from 13.0.0 up to 13.7.0 (before 13.7.1), there is an Authentication Bypass for client_credentials tokens. The league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1. In real-world Laravel deployments, this manifests as a client_credentials token being treated as if it belonged to a user, allowing access to user-scoped resources when only client permissions were intended. The impact includes unintended data access and potential privilege escalation across user boundaries. Laravel applications relying on Passport must ensure that tokens issued for clients are not used to locate or impersonate real users. Exploitation typically requires an attacker to obtain a client_credentials token and present it to an API endpoint that relies on a user-based identity derived from the token's sub claim. Since the sub claim can reflect a client identifier, the system might perform a User::find(sub) and authenticate as the corresponding user without validating that the token represents a real user session. This undermines the trust boundary between service-to-service tokens and user tokens, enabling unauthorized access to user data and actions. The recommended remediation is to upgrade to a version containing the fix and adjust the authentication guard logic to treat client_credentials tokens as non-user identities, avoiding any retrieval of a User by the sub claim when no user context exists.