Vulnerability DatabaseCVE-2026-39976

CVE-2026-39976:
PHP vulnerability analysis and mitigation

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.

Source: NVD

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-39394	HIGH	8.1	PHP	ci4-cms-erp/ci4ms	No	Yes	Apr 08, 2026
CVE-2026-39393	HIGH	8.1	PHP	ci4-cms-erp/ci4ms	No	Yes	Apr 08, 2026
CVE-2026-39976	HIGH	7.1	PHP	laravel/passport	No	Yes	Apr 09, 2026
CVE-2026-39392	MEDIUM	5.5	PHP	ci4-cms-erp/ci4ms	No	Yes	Apr 08, 2026
CVE-2026-39391	MEDIUM	4.8	PHP	ci4-cms-erp/ci4ms	No	Yes	Apr 08, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2026-39976: PHP vulnerability analysis and mitigation