Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user.
Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 5
https://github.com/laravel/passport/issues/1900
security-advisories@github.com
https://github.com/laravel/passport/pull/1901
security-advisories@github.com
https://github.com/laravel/passport/pull/1902
security-advisories@github.com
https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6
security-advisories@github.com
https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-27349899…
security-advisories@github.com