CVE-2026-31813 Overview
A critical authentication bypass vulnerability has been identified in Supabase Auth, a JWT-based API for managing users and issuing JWT tokens. Prior to version 2.185.0, an attacker can issue sessions for arbitrary users by exploiting improper validation of OIDC ID tokens when Apple or Azure providers are enabled.
The vulnerability allows an attacker to craft valid, asymmetrically signed ID tokens from their own issuer for victim email addresses. When these malicious tokens are sent to the Supabase Auth token endpoint using the ID token flow, the Auth server validates them against the attacker-controlled issuer instead of the legitimate provider. This results in the victim's existing OIDC identity (Apple or Azure) being linked to an additional OIDC identity controlled by the attacker, enabling the attacker to obtain valid user sessions at the AAL1 level.
Critical Impact
Attackers can hijack user sessions by exploiting OIDC token validation flaws, gaining unauthorized access to victim accounts when Apple or Azure authentication providers are enabled.
Affected Products
- Supabase Auth versions prior to 2.185.0
- Applications using Apple OAuth provider with Supabase Auth
- Applications using Azure OAuth provider with Supabase Auth
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-31813 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31813
Vulnerability Analysis
This vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing), representing a fundamental flaw in how the Supabase Auth server validates OIDC ID tokens from federated identity providers.
The core issue stems from insufficient verification of the token issuer during the ID token validation process. When processing ID tokens for Apple or Azure authentication flows, the Auth server fails to properly verify that the token's issuer (iss claim) matches the expected legitimate provider. This allows an attacker to substitute a malicious issuer that they control while maintaining OIDC compliance.
The attack is particularly dangerous because it targets the trust relationship between the application and federated identity providers. By exploiting this validation gap, attackers can effectively impersonate any user who has previously authenticated via Apple or Azure providers.
Root Cause
The root cause lies in the improper validation of OIDC ID token issuers within the Supabase Auth token endpoint. When processing ID tokens, the server validates the token's cryptographic signature and OIDC compliance but fails to enforce strict issuer verification. This allows tokens signed by arbitrary issuers to be accepted as valid, as long as they conform to OIDC specifications.
The vulnerability specifically affects the ID token flow where tokens are submitted directly to the Auth server rather than being obtained through the standard OAuth authorization code flow with proper redirect URI validation.
Attack Vector
The attack follows a network-based exploitation path requiring no user interaction or prior authentication. An attacker exploiting this vulnerability would:
- Identify a target application using Supabase Auth with Apple or Azure providers enabled
- Obtain or enumerate victim email addresses associated with the target application
- Set up a malicious OIDC-compliant identity provider under attacker control
- Generate valid, asymmetrically signed ID tokens for each victim email address using the malicious issuer
- Submit these crafted ID tokens to the Supabase Auth token endpoint using the ID token flow
- The Auth server validates the token against the attacker-controlled issuer and issues access/refresh tokens
- The attacker receives valid AAL1 session tokens, gaining unauthorized access to victim accounts
The attack exploits the OIDC ID token validation mechanism during federated authentication. When a malicious token is submitted, the Auth server's validation logic accepts it as legitimate because the token is technically OIDC-compliant, even though the issuer is not an authorized identity provider. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-31813
Indicators of Compromise
- Multiple authentication events from unexpected OIDC issuers for the same user account
- Session tokens issued for accounts without corresponding legitimate Apple or Azure authentication flows
- Anomalous linking of additional OIDC identities to existing user accounts
- Authentication requests with ID tokens containing unusual or unrecognized iss claims
Detection Strategies
- Monitor authentication logs for ID token submissions with issuers that don't match configured Apple or Azure provider endpoints
- Implement alerting for multiple OIDC identity linkages to a single user account within short time windows
- Review authentication audit trails for sessions created without corresponding OAuth authorization code exchanges
- Deploy Web Application Firewalls (WAF) rules to inspect and validate ID token payloads
Monitoring Recommendations
- Enable detailed logging for all OIDC token validation events including issuer verification results
- Establish baseline patterns for legitimate Apple and Azure authentication flows to detect anomalies
- Configure alerts for failed issuer validation attempts that could indicate reconnaissance activity
- Monitor for bulk authentication attempts targeting multiple user email addresses
How to Mitigate CVE-2026-31813
Immediate Actions Required
- Upgrade Supabase Auth to version 2.185.0 or later immediately
- Audit authentication logs for any suspicious OIDC identity linkages that may indicate prior exploitation
- Review all user sessions and consider invalidating active tokens if compromise is suspected
- Temporarily disable Apple and Azure providers if immediate patching is not possible
Patch Information
Supabase has released version 2.185.0 which addresses this vulnerability by implementing proper issuer validation for OIDC ID tokens. The fix ensures that ID tokens are only accepted from configured, legitimate identity providers (Apple and Azure) and rejects tokens from unauthorized issuers.
Organizations should prioritize upgrading to the patched version. For detailed information about the fix, consult the GitHub Security Advisory.
Workarounds
- If immediate patching is not feasible, consider temporarily disabling Apple and Azure authentication providers until the upgrade can be completed
- Implement additional network-level controls to restrict access to the Auth token endpoint
- Deploy monitoring to detect and alert on suspicious authentication patterns while awaiting the patch
- Consider implementing additional authentication factors (MFA) to reduce the impact of potential session hijacking
# Configuration example - Upgrade Supabase Auth
# Update to patched version 2.185.0 or later
npm update @supabase/auth-helpers-nextjs
# or for direct Supabase Auth server deployments
docker pull supabase/gotrue:v2.185.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
