{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/laravel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39976"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39976","laravel","oauth2","authentication bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLaravel Passport, an OAuth2 server implementation for Laravel, is vulnerable to an authentication bypass (CVE-2026-39976) in versions 13.0.0 up to, but not including, 13.7.1. The vulnerability stems from the \u003ccode\u003eleague/oauth2-server\u003c/code\u003e library, where the JWT \u003ccode\u003esub\u003c/code\u003e claim is set to the client identifier for \u003ccode\u003eclient_credentials\u003c/code\u003e tokens, as there is no associated user. Subsequently, the token guard uses this client identifier to retrieve user information via \u003ccode\u003eretrieveById()\u003c/code\u003e without proper validation, potentially resolving and authenticating an unrelated, real user. This means any machine-to-machine token can inadvertently authenticate as an actual user within the Laravel application. The vulnerability is resolved in Laravel Passport version 13.7.1. This allows attackers to perform actions with the privileges of the authenticated user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid \u003ccode\u003eclient_credentials\u003c/code\u003e token issued by Laravel Passport (versions 13.0.0 - 13.7.0). This could be a token intended for machine-to-machine communication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to a protected endpoint of the Laravel application, including the \u003ccode\u003eclient_credentials\u003c/code\u003e token in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe Laravel Passport token guard extracts the JWT \u003ccode\u003esub\u003c/code\u003e claim from the token. In vulnerable versions, this \u003ccode\u003esub\u003c/code\u003e claim contains the client identifier.\u003c/li\u003e\n\u003cli\u003eThe token guard calls \u003ccode\u003eretrieveById()\u003c/code\u003e using the client identifier from the \u003ccode\u003esub\u003c/code\u003e claim as the user ID.\u003c/li\u003e\n\u003cli\u003eDue to the lack of validation, \u003ccode\u003eretrieveById()\u003c/code\u003e queries the user database, potentially finding a user whose ID matches the client identifier.\u003c/li\u003e\n\u003cli\u003eIf a user with the matching ID is found, the application authenticates the request as that user, granting the attacker their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access resources and perform actions as the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the user\u0026rsquo;s privileges to compromise data or perform unauthorized actions within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39976 allows attackers to bypass authentication and gain unauthorized access to user accounts in Laravel applications using affected versions of Laravel Passport. This can lead to data breaches, privilege escalation, and other malicious activities, depending on the privileges of the compromised user accounts. The severity of the impact depends on the application\u0026rsquo;s functionality and the sensitivity of the data it handles. Potentially all applications using Laravel Passport for authentication are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Laravel Passport to version 13.7.1 or later to patch CVE-2026-39976.\u003c/li\u003e\n\u003cli\u003eImplement additional validation within the application\u0026rsquo;s authentication logic to verify that the user ID extracted from the JWT \u003ccode\u003esub\u003c/code\u003e claim corresponds to a valid user, especially when using \u003ccode\u003eclient_credentials\u003c/code\u003e tokens.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected authentication events or API requests originating from machine-to-machine tokens that are being authenticated as users. The \u003ccode\u003ewebserver\u003c/code\u003e log source can be used for this monitoring.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect requests to protected endpoints with \u003ccode\u003eclient_credentials\u003c/code\u003e tokens that are incorrectly authenticated as users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:16:31Z","date_published":"2026-04-09T17:16:31Z","id":"/briefs/2026-04-laravel-auth-bypass/","summary":"Laravel Passport versions 13.0.0 before 13.7.1 contain an authentication bypass vulnerability (CVE-2026-39976) where machine-to-machine tokens can authenticate as a real user due to improper validation of the JWT sub claim.","title":"Laravel Passport Authentication Bypass Vulnerability (CVE-2026-39976)","url":"https://feed.craftedsignal.io/briefs/2026-04-laravel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","cms","laravel","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSharp CMS, a content management framework built for Laravel, is vulnerable to a path traversal attack. This vulnerability affects versions prior to 9.20.0 and stems from the \u003ccode\u003eFileUtil\u003c/code\u003e class not properly sanitizing file extensions. The flaw allows attackers to manipulate file paths by injecting path separators, potentially leading to unauthorized file access or manipulation within the storage layer. The vulnerability resides in the \u003ccode\u003eFileUtil::explodeExtension()\u003c/code\u003e function within…\u003c/p\u003e\n","date_modified":"2026-03-26T22:16:31Z","date_published":"2026-03-26T22:16:31Z","id":"/briefs/2024-05-sharp-path-traversal/","summary":"A path traversal vulnerability exists in Sharp CMS versions prior to 9.20.0 due to improper sanitization of file extensions, potentially allowing attackers to bypass security restrictions and access sensitive files.","title":"Sharp CMS Path Traversal Vulnerability (CVE-2026-33686)","url":"https://feed.craftedsignal.io/briefs/2024-05-sharp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["laravel","file-upload","rce","code16/sharp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecode16/sharp\u003c/code\u003e Laravel admin panel package, specifically versions before 9.20.0, is vulnerable to unrestricted file upload. An authenticated user can manipulate the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter in the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint to bypass file type restrictions. This vulnerability stems from insufficient server-side validation of the client-supplied \u003ccode\u003evalidation_rule\u003c/code\u003e, which is directly passed to the Laravel validator. Successfully exploiting this vulnerability allows an attacker to upload arbitrary files, including PHP webshells, which can lead to remote code execution (RCE) if the storage disk is publicly accessible. The vulnerability was reported by zaurgsynv and has been patched in pull request #714. Defenders should ensure their Sharp instances are updated to version 9.20.0 or later, and restrict disk access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Sharp Laravel admin panel.\u003c/li\u003e\n\u003cli\u003eThe user navigates to a section of the application that utilizes the file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe user intercepts the HTTP request sent to the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe user modifies the request body, specifically the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter, setting it to \u003ccode\u003evalidation_rule[]=file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe modified request is sent to the server, bypassing MIME type and file extension checks.\u003c/li\u003e\n\u003cli\u003eThe server processes the upload request, saving the arbitrary file (e.g., a PHP webshell) to the designated storage disk.\u003c/li\u003e\n\u003cli\u003eIf the storage disk is publicly accessible, the attacker can access the uploaded file via a web browser.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded PHP webshell, achieving remote code execution (RCE) on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload arbitrary files, including PHP webshells, to the affected server. This can lead to Remote Code Execution (RCE) if the server\u0026rsquo;s storage disk is misconfigured to be publicly accessible. While default configurations prevent direct execution of uploaded PHP files, compromised servers can be leveraged for lateral movement, data exfiltration, or further malicious activities. This vulnerability impacts all installations of \u003ccode\u003ecode16/sharp\u003c/code\u003e prior to version 9.20.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecode16/sharp\u003c/code\u003e to version 9.20.0 or later to remediate CVE-2026-33687.\u003c/li\u003e\n\u003cli\u003eEnsure that the storage disk used for Sharp uploads is strictly private, as described in the Laravel filesystem documentation (\u003ca href=\"https://laravel.com/docs/13.x/filesystem)\"\u003ehttps://laravel.com/docs/13.x/filesystem)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Sharp File Upload Bypass Attempt\u0026rdquo; to identify attempts to exploit this vulnerability based on the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint, correlating with user activity and file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T20:03:11Z","date_published":"2026-03-25T20:03:11Z","id":"/briefs/2026-06-sharp-file-upload-bypass/","summary":"The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions by manipulating the validation_rule parameter, potentially leading to Remote Code Execution (RCE) if the storage disk is configured to be publicly accessible.","title":"Sharp Laravel Admin Panel Unrestricted File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-sharp-file-upload-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Laravel","version":"https://jsonfeed.org/version/1.1"}