{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oauth2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39976"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39976","laravel","oauth2","authentication bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLaravel Passport, an OAuth2 server implementation for Laravel, is vulnerable to an authentication bypass (CVE-2026-39976) in versions 13.0.0 up to, but not including, 13.7.1. The vulnerability stems from the \u003ccode\u003eleague/oauth2-server\u003c/code\u003e library, where the JWT \u003ccode\u003esub\u003c/code\u003e claim is set to the client identifier for \u003ccode\u003eclient_credentials\u003c/code\u003e tokens, as there is no associated user. Subsequently, the token guard uses this client identifier to retrieve user information via \u003ccode\u003eretrieveById()\u003c/code\u003e without proper validation, potentially resolving and authenticating an unrelated, real user. This means any machine-to-machine token can inadvertently authenticate as an actual user within the Laravel application. The vulnerability is resolved in Laravel Passport version 13.7.1. This allows attackers to perform actions with the privileges of the authenticated user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid \u003ccode\u003eclient_credentials\u003c/code\u003e token issued by Laravel Passport (versions 13.0.0 - 13.7.0). This could be a token intended for machine-to-machine communication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to a protected endpoint of the Laravel application, including the \u003ccode\u003eclient_credentials\u003c/code\u003e token in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe Laravel Passport token guard extracts the JWT \u003ccode\u003esub\u003c/code\u003e claim from the token. In vulnerable versions, this \u003ccode\u003esub\u003c/code\u003e claim contains the client identifier.\u003c/li\u003e\n\u003cli\u003eThe token guard calls \u003ccode\u003eretrieveById()\u003c/code\u003e using the client identifier from the \u003ccode\u003esub\u003c/code\u003e claim as the user ID.\u003c/li\u003e\n\u003cli\u003eDue to the lack of validation, \u003ccode\u003eretrieveById()\u003c/code\u003e queries the user database, potentially finding a user whose ID matches the client identifier.\u003c/li\u003e\n\u003cli\u003eIf a user with the matching ID is found, the application authenticates the request as that user, granting the attacker their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access resources and perform actions as the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the user\u0026rsquo;s privileges to compromise data or perform unauthorized actions within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39976 allows attackers to bypass authentication and gain unauthorized access to user accounts in Laravel applications using affected versions of Laravel Passport. This can lead to data breaches, privilege escalation, and other malicious activities, depending on the privileges of the compromised user accounts. The severity of the impact depends on the application\u0026rsquo;s functionality and the sensitivity of the data it handles. Potentially all applications using Laravel Passport for authentication are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Laravel Passport to version 13.7.1 or later to patch CVE-2026-39976.\u003c/li\u003e\n\u003cli\u003eImplement additional validation within the application\u0026rsquo;s authentication logic to verify that the user ID extracted from the JWT \u003ccode\u003esub\u003c/code\u003e claim corresponds to a valid user, especially when using \u003ccode\u003eclient_credentials\u003c/code\u003e tokens.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected authentication events or API requests originating from machine-to-machine tokens that are being authenticated as users. The \u003ccode\u003ewebserver\u003c/code\u003e log source can be used for this monitoring.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect requests to protected endpoints with \u003ccode\u003eclient_credentials\u003c/code\u003e tokens that are incorrectly authenticated as users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:16:31Z","date_published":"2026-04-09T17:16:31Z","id":"/briefs/2026-04-laravel-auth-bypass/","summary":"Laravel Passport versions 13.0.0 before 13.7.1 contain an authentication bypass vulnerability (CVE-2026-39976) where machine-to-machine tokens can authenticate as a real user due to improper validation of the JWT sub claim.","title":"Laravel Passport Authentication Bypass Vulnerability (CVE-2026-39976)","url":"https://feed.craftedsignal.io/briefs/2026-04-laravel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-71278"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-71278","oauth2","xenforo","incorrect-authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eXenForo, a popular forum software, has a security vulnerability (CVE-2025-71278) affecting versions prior to 2.3.5. Specifically, the vulnerability lies in the OAuth2 client application authorization process. OAuth2 clients can request scopes beyond those they are authorized to access. This vulnerability impacts any XenForo 2.3 installation utilizing OAuth2 clients prior to upgrading to version 2.3.5. Successful exploitation could allow malicious or compromised OAuth2 client applications to escalate privileges and access sensitive data or functionality within the XenForo forum.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a malicious OAuth2 client application within the vulnerable XenForo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an OAuth2 authorization request, including scopes that the client should not be permitted to access according to XenForo\u0026rsquo;s intended authorization model.\u003c/li\u003e\n\u003cli\u003eThe vulnerable XenForo instance fails to properly validate the requested scopes against the client\u0026rsquo;s authorized permissions.\u003c/li\u003e\n\u003cli\u003eThe XenForo server grants access tokens with the requested, unauthorized scopes.\u003c/li\u003e\n\u003cli\u003eThe malicious OAuth2 client application uses the access token with the expanded privileges to interact with the XenForo API.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they are not intended to be authorized for, such as accessing private user data, modifying forum settings, or performing administrative tasks depending on the scopes gained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71278 can lead to unauthorized data access, privilege escalation, and potential compromise of the XenForo forum. This can impact all users of the forum, leading to data breaches, defacement, or disruption of service. The severity depends on the unauthorized scopes obtained, but could range from accessing private messages to complete administrative control over the forum.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XenForo installations to version 2.3.5 or later to remediate CVE-2025-71278 (reference: XenForo advisory in references).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on OAuth2 authorization requests to identify and mitigate potential abuse (reference: generic security best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:40Z","date_published":"2026-04-01T01:16:40Z","id":"/briefs/2026-04-xenforo-oauth2-unauth-scope/","summary":"XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially allowing client applications to gain access beyond their intended authorization level due to improper authorization checks.","title":"XenForo OAuth2 Unauthorized Scope Request Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-oauth2-unauth-scope/"}],"language":"en","title":"CraftedSignal Threat Feed — Oauth2","version":"https://jsonfeed.org/version/1.1"}