CVE-2026-31813
Received Received - Intake
JWT Authentication Bypass in Supabase Auth via Apple/Azure OIDC

Publication date: 2026-03-11

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-20
Generated
2026-05-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31813
EUVD
EUVD-2026-11239
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
supabase auth to 2.185.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to issue valid user sessions for arbitrary users, enabling them to impersonate those users.'}, {'type': 'paragraph', 'content': 'The impact on confidentiality and integrity is low, and availability is not affected.'}, {'type': 'paragraph', 'content': "However, since attackers can gain unauthorized access to user sessions, this can lead to unauthorized access to user data and actions performed under the victim's identity."}, {'type': 'paragraph', 'content': 'Exploitation requires high attack complexity, including controlling a valid OIDC issuer and knowledge of victim email addresses.'}] [1]


Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-31813 is a vulnerability in Supabase Auth versions prior to 2.185.0 that affects the authentication process when Apple or Azure providers are enabled.'}, {'type': 'paragraph', 'content': "An attacker who controls their own OpenID Connect (OIDC) compliant ID token issuer can create specially crafted ID tokens for victim email addresses. When these tokens are sent to the Supabase Auth token endpoint, the server incorrectly validates and links the victim's existing OIDC identity with the attacker-controlled identity."}, {'type': 'paragraph', 'content': 'As a result, the attacker can obtain valid user sessions (access and refresh tokens) at Authentication Assurance Level 1 (AAL1), effectively impersonating the victim without needing privileges or user interaction.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'To detect potential exploitation of this vulnerability, audit the identities table in your Supabase Auth server for Apple or Azure provider entries with issuer values that do not match the expected trusted issuers.'}, {'type': 'list_item', 'content': 'Apple issuer must start with "https://appleid.apple.com/"'}, {'type': 'list_item', 'content': 'Azure issuer must start with "https://login.microsoftonline.com/" or "https://sts.windows.net/"'}, {'type': 'paragraph', 'content': 'Any issuer values outside these expected prefixes indicate likely exploitation.'}, {'type': 'paragraph', 'content': 'Example commands to query the identities table might include SQL queries such as:'}, {'type': 'list_item', 'content': "For Apple provider: SELECT * FROM identities WHERE provider = 'apple' AND issuer NOT LIKE 'https://appleid.apple.com/%';"}, {'type': 'list_item', 'content': "For Azure provider: SELECT * FROM identities WHERE provider = 'azure' AND issuer NOT LIKE 'https://login.microsoftonline.com/%' AND issuer NOT LIKE 'https://sts.windows.net/%';"}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade the Supabase Gotrue Auth server to version 2.185.0 or later, where this vulnerability is fixed.

For self-hosted deployments, additional immediate steps include:

  • Implement continuous and timely updates of the Auth server.
  • Avoid exposing the Auth server directly to the internet; place it behind a reverse proxy such as Envoy, nginx, Caddy, or Kong, and keep the proxy up-to-date.
  • Enforce multi-factor authentication (MFA) on all user accounts and verify sensitive actions.
  • If MFA is not feasible, require re-authentication or user confirmation via email or SMS for sensitive operations.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart