DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-349C-2H2F-MXF6: GHSA-349c-2h2f-mxf6: Authentication Bypass via Client Identifier Collision in Laravel Passport

#security #cve #cybersecurity #ghsa

GHSA-349c-2h2f-mxf6: Authentication Bypass via Client Identifier Collision in Laravel Passport

Vulnerability ID: GHSA-349C-2H2F-MXF6
CVSS Score: 6.8
Published: 2026-04-08

An authentication bypass vulnerability in Laravel Passport allows machine-to-machine client credentials tokens to inadvertently authenticate as unrelated users. This occurs due to improper validation of the JWT subject claim when UUIDs are disabled for OAuth clients, resulting in an integer collision between client IDs and user primary keys.

TL;DR

Laravel Passport before 13.7.1 allows client credentials tokens to authenticate as real users if client UUIDs are disabled. The TokenGuard incorrectly uses the numeric client identifier as a user ID, leading to full authentication bypass.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Network
  • CVSS Base Score: 6.8
  • Impact: Authentication Bypass / Impersonation
  • Exploit Status: Unweaponized / Conditional
  • Required Configuration: Passport::$clientUuids = false

Affected Systems

  • laravel/passport (Packagist package)
  • laravel/passport: < 13.7.1 (Fixed in: 13.7.1)

Code Analysis

Commit: e8b335b

Fix token guard resolving unrelated user for client credentials tokens

Mitigation Strategies

  • Upgrade laravel/passport to a patched version (>= 13.7.1).
  • Ensure Passport::$clientUuids is set to true to enforce UUIDs for clients.
  • Disable the client_credentials grant type if machine-to-machine authentication is unnecessary.
  • Implement custom middleware to reject client_credentials tokens on endpoints requiring a real user context.

Remediation Steps:

  1. Run composer update laravel/passport to fetch version 13.7.1 or higher.
  2. Audit App\Providers\AuthServiceProvider or equivalent configuration files to verify Passport::$clientUuids is not set to false.
  3. Review application logs for existing use of client_credentials tokens accessing user-restricted API routes.
  4. Deploy the updated application dependencies and verify authentication flows.

References

Read the full report for GHSA-349C-2H2F-MXF6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)