Laravel Passport Authentication Bypass via Client Credentials Tokens
Laravel Passport before v13.7.1 allows an authentication bypass via client credentials tokens, where a client's identifier can be used to impersonate a user if `Passport::$clientUuids` is set to false or the EnsureClientIsResourceOwner middleware is in use.
Laravel Passport, a popular OAuth2 server package for Laravel applications, is vulnerable to an authentication bypass. Specifically, in versions prior to 13.7.1, when using client_credentials grant type tokens, the library sets the JWT sub claim to the client identifier. The TokenGuard then uses this client identifier without validating that it is actually a user ID, leading to a scenario where an attacker-controlled client ID may resolve to an existing user. The risk is amplified when Passport::$clientUuids is set to false or the EnsureClientIsResourceOwner middleware is in use, potentially resulting in machine-to-machine tokens inadvertently authenticating as actual users. This vulnerability allows unauthorized access to resources intended for specific users.
Attack Chain
- An attacker identifies a Laravel application using a vulnerable version of Laravel Passport (<13.7.1) that uses
client_credentialsgrants. - The attacker registers a new OAuth2 client within the vulnerable application.
- The attacker obtains the client ID of the registered client.
- The attacker crafts a
client_credentialstoken request to the/oauth/tokenendpoint, using the client's ID and secret. - The OAuth2 server generates a JWT access token. The
subclaim in this token is set to the client ID. - The attacker makes a request to an API endpoint that is protected by Passport's
auth:apiguard using the crafted JWT access token. - The
TokenGuardextracts the client ID from thesubclaim of the JWT. - The
TokenGuardcallsretrieveById()using the client ID. If a user exists with an ID that matches the client ID, theretrieveById()method will return that user. The application incorrectly authenticates the request as that unrelated user, granting unauthorized access.
Impact
Successful exploitation of this vulnerability can lead to significant data breaches and unauthorized access to user accounts. An attacker could gain access to sensitive information, perform actions on behalf of legitimate users, or escalate privileges within the application. The impact depends on the scope of data and actions accessible to a successfully impersonated user. This vulnerability affects all applications using Laravel Passport versions prior to 13.7.1 that have either disabled UUIDs for clients or are using the EnsureClientIsResourceOwner middleware in a vulnerable configuration.
Recommendation
- Upgrade to Laravel Passport version 13.7.1 or later to patch the vulnerability.
- As a workaround, disallow the use of
client_credentialsgrant type to prevent the vulnerability. - Review the configuration of
Passport::$clientUuidsand ensure it is set totrueto mitigate the risk (see documentation in Overview). - Deploy the Sigma rule "Detect Laravel Passport Authentication Bypass Attempt" to detect potential exploitation attempts.
Detection coverage 2
Detect Laravel Passport Authentication Bypass Attempt
highDetects attempts to exploit the Laravel Passport authentication bypass vulnerability by monitoring for calls to the /oauth/token endpoint with client_credentials grant type.
Detect Laravel Passport Malicious Client Registration
mediumDetects potential reconnaissance activity by monitoring for unusual POST requests to the /oauth/clients endpoint which could indicate a malicious actor attempting to create a client for exploit attempts
Detection queries are available on the platform. Get full rules →