Description
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
Published: 2026-03-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Impersonation
Action: Apply Patch
AI Analysis

Impact

Supabase Auth, a JWT‑based service that manages users and issues JWT tokens, has a flaw in versions prior to 2.185.0 that permits an attacker to create valid sessions for any user. By forging an asymmetrically signed ID token that appears to come from a legitimate issuer (Apple or Azure) and contains the target user’s email, the attacker submits this token to the Auth token endpoint. The server, trusting the issuer and verifying the token, associates the victim’s existing OIDC identity with the attacker’s identity and issues a new access and refresh token at the AAL1 level. This allows the attacker to impersonate the victim, gaining full read‑write access to the victim’s account and any resources protected by Supabase Auth. The weakness is a failure to properly limit the trust in external ID tokens (CWE‑290).

Affected Systems

The vulnerability affects Supabase Auth for all versions older than 2.185.0. Any deployment using Supabase Auth 2.x (or earlier) with the Apple or Azure authentication provider enabled is potentially compromised. The vendor product cpe is cpe:2.3:a:supabase:auth:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact, with a low probability of exploitation (EPSS <1%) and no listing in the CISA KEV catalog. Exploitation requires an attacker to possess a valid private signing key for a custom Apple or Azure issuer set up in the Supabase Auth instance, as well as the ability to perform HTTP requests to the token endpoint. Because the attack path is remote and the attacker must control the token issuer, the likelihood of successful exploitation in the wild is low, but organizations with exposed Apple or Azure providers should prioritize patching. Once patched in version 2.185.0, the vulnerability is resolved.

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Supabase Auth patch to version 2.185.0 or later
  • If unable to upgrade immediately, disable Apple and Azure authentication providers in your Supabase Auth configuration
  • Review and monitor authentication logs for any unusual activity

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:supabase:auth:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Supabase
Supabase auth
Vendors & Products Supabase
Supabase auth

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
Title Supabase Auth has insecure Apple and Azure authentication with ID tokens
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Supabase Auth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:20:20.728Z

Reserved: 2026-03-09T16:33:42.914Z

Link: CVE-2026-31813

cve-icon Vulnrichment

Updated: 2026-03-11T17:14:15.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:58.107

Modified: 2026-03-20T14:06:42.643

Link: CVE-2026-31813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:23Z

Weaknesses