Approved changes feed: RSS · Atom

cpe:2.3:a:laravel:passport:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorLaravel (753b10ea-9525-5ae4-bc49-6f2cc8b8ce8c)
ProductPassport (0ed55f70-a7d6-506d-a9d4-4484d0714ba4)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:composer/laravel/passport purl2cpe 2026-06-01 10:12:10.372941
pkg:github/laravel/passport purl2cpe 2026-06-01 10:12:10.372944

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-39976 vulnerable 2026-06-08 08:01:17.265354 Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
HIGH (7.1)
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Published: 2026-04-09T16:50:42.326Z
Updated: 2026-04-09T19:31:53.801Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.