Approved changes feed: RSS · Atom
cpe:2.3:a:laravel:passport:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Laravel (753b10ea-9525-5ae4-bc49-6f2cc8b8ce8c) |
|---|---|
| Product | Passport (0ed55f70-a7d6-506d-a9d4-4484d0714ba4) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:composer/laravel/passport |
purl2cpe | 2026-06-01 10:12:10.372941 |
pkg:github/laravel/passport |
purl2cpe | 2026-06-01 10:12:10.372944 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-39976 |
vulnerable | 2026-06-08 08:01:17.265354 |
Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
HIGH (7.1)
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Published: 2026-04-09T16:50:42.326Z
Updated: 2026-04-09T19:31:53.801Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.