CVE-2026-31813: CWE-290: Authentication Bypass by Spoofing in supabase auth
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
AI Analysis
Technical Summary
Supabase Auth is a JWT-based authentication API that manages user sessions and issues tokens. The vulnerability CVE-2026-31813 arises when the Apple or Azure OpenID Connect (OIDC) providers are enabled in versions before 2.185.0. The flaw allows an attacker to create a specially crafted ID token signed by their own issuer, which is accepted by the Supabase Auth server if it complies with OIDC standards. The server erroneously validates this token against the attacker-controlled issuer and links the victim's existing OIDC identity to this malicious token. Consequently, the attacker can generate valid user sessions for arbitrary users without possessing their credentials, effectively bypassing authentication. This attack leverages the trust model of OIDC and the improper issuer validation logic in Supabase Auth. The attacker gains access tokens and refresh tokens at Authentication Assurance Level 1 (AAL1), enabling session hijacking or impersonation. The vulnerability requires no user interaction or prior authentication but demands the attacker to generate valid OIDC-compliant tokens from their own issuer. The issue is resolved in Supabase Auth version 2.185.0 by correcting the issuer validation and identity linking logic. No public exploits have been reported, and the CVSS v3.1 score is 4.8, reflecting medium severity due to the attack complexity and limited scope of impact.
Potential Impact
This vulnerability allows attackers to impersonate any user in affected Supabase Auth deployments, potentially gaining unauthorized access to user accounts and sensitive data. Organizations using Supabase Auth with Apple or Azure OIDC providers enabled are at risk of session hijacking and unauthorized resource access. The impact includes loss of confidentiality and integrity of user data and sessions, undermining trust in the authentication system. Although the attack does not directly affect availability, compromised sessions can lead to further exploitation or lateral movement within applications. The medium CVSS score reflects that exploitation requires crafting valid tokens and some technical skill, limiting widespread automated attacks. However, targeted attacks against high-value users or sensitive applications could have significant consequences, including data breaches, account takeover, and compliance violations. Organizations relying on Supabase Auth for critical authentication should consider this a serious risk until patched.
Mitigation Recommendations
Upgrade Supabase Auth to version 2.185.0 or later immediately to apply the fix that corrects the issuer validation and identity linking logic. Until patching is possible, disable the Apple and Azure OIDC providers if feasible to prevent exploitation. Implement additional monitoring and alerting on authentication anomalies, such as unexpected token issuances or session creations for high-privilege accounts. Employ multi-factor authentication (MFA) at higher assurance levels to reduce the impact of compromised sessions. Review and restrict token issuance policies and validate OIDC issuer configurations carefully. Conduct regular security assessments and penetration testing focused on authentication flows. Educate developers and administrators about the risks of improper token validation and the importance of keeping authentication libraries up to date. Consider implementing anomaly detection systems that can flag unusual login patterns or token usage.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Australia, Netherlands, Japan, South Korea, India
CVE-2026-31813: CWE-290: Authentication Bypass by Spoofing in supabase auth
Description
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
AI-Powered Analysis
Technical Analysis
Supabase Auth is a JWT-based authentication API that manages user sessions and issues tokens. The vulnerability CVE-2026-31813 arises when the Apple or Azure OpenID Connect (OIDC) providers are enabled in versions before 2.185.0. The flaw allows an attacker to create a specially crafted ID token signed by their own issuer, which is accepted by the Supabase Auth server if it complies with OIDC standards. The server erroneously validates this token against the attacker-controlled issuer and links the victim's existing OIDC identity to this malicious token. Consequently, the attacker can generate valid user sessions for arbitrary users without possessing their credentials, effectively bypassing authentication. This attack leverages the trust model of OIDC and the improper issuer validation logic in Supabase Auth. The attacker gains access tokens and refresh tokens at Authentication Assurance Level 1 (AAL1), enabling session hijacking or impersonation. The vulnerability requires no user interaction or prior authentication but demands the attacker to generate valid OIDC-compliant tokens from their own issuer. The issue is resolved in Supabase Auth version 2.185.0 by correcting the issuer validation and identity linking logic. No public exploits have been reported, and the CVSS v3.1 score is 4.8, reflecting medium severity due to the attack complexity and limited scope of impact.
Potential Impact
This vulnerability allows attackers to impersonate any user in affected Supabase Auth deployments, potentially gaining unauthorized access to user accounts and sensitive data. Organizations using Supabase Auth with Apple or Azure OIDC providers enabled are at risk of session hijacking and unauthorized resource access. The impact includes loss of confidentiality and integrity of user data and sessions, undermining trust in the authentication system. Although the attack does not directly affect availability, compromised sessions can lead to further exploitation or lateral movement within applications. The medium CVSS score reflects that exploitation requires crafting valid tokens and some technical skill, limiting widespread automated attacks. However, targeted attacks against high-value users or sensitive applications could have significant consequences, including data breaches, account takeover, and compliance violations. Organizations relying on Supabase Auth for critical authentication should consider this a serious risk until patched.
Mitigation Recommendations
Upgrade Supabase Auth to version 2.185.0 or later immediately to apply the fix that corrects the issuer validation and identity linking logic. Until patching is possible, disable the Apple and Azure OIDC providers if feasible to prevent exploitation. Implement additional monitoring and alerting on authentication anomalies, such as unexpected token issuances or session creations for high-privilege accounts. Employ multi-factor authentication (MFA) at higher assurance levels to reduce the impact of compromised sessions. Review and restrict token issuance policies and validate OIDC issuer configurations carefully. Conduct regular security assessments and penetration testing focused on authentication flows. Educate developers and administrators about the risks of improper token validation and the importance of keeping authentication libraries up to date. Consider implementing anomaly detection systems that can flag unusual login patterns or token usage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-09T16:33:42.914Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b19f882f860ef9434a76cc
Added to database: 3/11/2026, 4:59:52 PM
Last enriched: 3/11/2026, 5:15:12 PM
Last updated: 3/14/2026, 2:32:15 AM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.