Detections
Analytics

SCA: security update for laravel/passport (GHSA-349c-2h2f-mxf6)

high Tenable Self-Hosted Container Security Plugin ID 440089

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an
 Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub
 claim to the client identifier (since there's no user). The token guard then passes this value to
 retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real
 user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is
 fixed in 13.7.1. (CVE-2026-39976)

Solution

Update the laravel/passport library and its related packages to version 13.7.1 or later.

See Also

https://github.com/advisories/GHSA-349c-2h2f-mxf6

Plugin Details

Severity: High

ID: 440089

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 4/9/2026

Updated: 6/3/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:P/A:N

CVSS Score Source: CVE-2026-39976

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 4/8/2026

Reference Information

CVE: CVE-2026-39976

cwe: CWE-287