CVE-2026-31813
- Source
- https://cve.org/CVERecord?id=CVE-2026-31813
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31813.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-31813
- Aliases
-
- GHSA-v36f-qvww-8w8m
- Published
- 2026-03-11T16:42:56.606Z
- Modified
- 2026-04-10T05:42:49.994322Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Supabase Auth has insecure Apple and Azure authentication with ID tokens
- Details
-
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31813.json", "cwe_ids": [ "CWE-290" ] }- References
Affected packages
Git / github.com/supabase/auth
Affected ranges
- Type
- GIT
- Repo
- https://github.com/supabase/auth
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
rc2.*
rc2.139.2-rc.13
rc2.139.2-rc.15
rc2.139.2-rc.16
rc2.139.2-rc.3
rc2.139.2-rc.6
rc2.139.2-rc.7
rc2.139.2-rc.9
rc2.140.0-rc.1
rc2.140.0-rc.2
rc2.141.0-rc.1
rc2.141.0-rc.2
rc2.142.0-rc.1
rc2.142.0-rc.2
rc2.142.1-rc.1
rc2.142.1-rc.2
rc2.142.1-rc.3
rc2.142.1-rc.4
rc2.142.1-rc.5
rc2.142.1-rc.6
rc2.142.1-rc.7
rc2.143.0-rc.8
rc2.143.1-rc.1
rc2.144.0-rc.1
rc2.144.0-rc.10
rc2.144.0-rc.11
rc2.144.0-rc.12
rc2.144.0-rc.2
rc2.144.0-rc.3
rc2.144.0-rc.4
rc2.144.0-rc.5
rc2.144.0-rc.7
rc2.144.0-rc.8
rc2.144.0-rc.9
rc2.144.1-rc.1
rc2.145.0-rc.1
rc2.145.0-rc.10
rc2.145.0-rc.11
rc2.145.0-rc.12
rc2.145.0-rc.13
rc2.145.0-rc.14
rc2.145.0-rc.15
rc2.145.0-rc.17
rc2.145.0-rc.18
rc2.145.0-rc.19
rc2.145.0-rc.2
rc2.145.0-rc.20
rc2.145.0-rc.21
rc2.145.0-rc.22
rc2.145.0-rc.3
rc2.145.0-rc.4
rc2.145.0-rc.5
rc2.145.0-rc.6
rc2.145.0-rc.8
rc2.145.0-rc.9
rc2.146.0-rc.1
rc2.146.0-rc.10
rc2.146.0-rc.11
rc2.146.0-rc.12
rc2.146.0-rc.2
rc2.146.0-rc.4
rc2.146.0-rc.5
rc2.146.0-rc.7
rc2.146.0-rc.8
rc2.146.0-rc.9
rc2.147.0-rc.2
rc2.147.1-rc.1
rc2.147.1-rc.2
rc2.148.0-rc.1
rc2.149.0-rc.1
rc2.149.0-rc.2
rc2.149.0-rc.3
rc2.149.0-rc.4
rc2.150.0-rc.1
rc2.150.0-rc.2
rc2.150.0-rc.3
rc2.150.0-rc.5
rc2.150.0-rc.6
rc2.150.0-rc.7
rc2.150.1-rc.1
rc2.150.1-rc.2
rc2.150.2-rc.1
rc2.150.2-rc.2
rc2.150.2-rc.3
rc2.151.0-rc.4
rc2.152.0-rc.1
rc2.152.0-rc.2
rc2.152.0-rc.3
rc2.152.0-rc.4
rc2.152.0-rc.5
rc2.152.0-rc.7
rc2.152.1-rc.1
rc2.152.1-rc.2
rc2.152.1-rc.3
rc2.153.0-rc.10
rc2.153.0-rc.4
rc2.153.0-rc.5
rc2.153.0-rc.6
rc2.153.0-rc.7
rc2.154.0-rc.1
rc2.154.0-rc.2
rc2.154.0-rc.4
rc2.154.0-rc.5
rc2.154.0-rc.6
rc2.154.0-rc.8
rc2.154.0-rc.9
rc2.154.1-rc.1
rc2.154.1-rc.2
rc2.154.2-rc.1
rc2.154.2-rc.2
rc2.154.2-rc.3
rc2.154.3-rc.1
rc2.154.3-rc.2
rc2.154.3-rc.3
rc2.154.3-rc.4
rc2.154.3-rc.5
rc2.155.0-rc.6
rc2.155.1-rc.1
rc2.155.1-rc.2
rc2.155.1-rc.3
rc2.155.2-rc.2
rc2.155.2-rc.4
rc2.155.2-rc.5
rc2.155.3-rc.1
rc2.155.4-rc.1
rc2.155.5-rc.1
rc2.155.5-rc.2
rc2.155.5-rc.3
rc2.155.6-rc.1
rc2.155.7-rc.1
rc2.156.0-rc.2
rc2.157.0-rc.1
rc2.157.1-rc.1
rc2.158.0-rc.1
rc2.158.0-rc.2
rc2.158.0-rc.3
rc2.158.0-rc.4
rc2.158.0-rc.5
rc2.158.0-rc.6
rc2.158.0-rc.7
rc2.158.1-rc.1
rc2.158.1-rc.10
rc2.158.1-rc.11
rc2.158.1-rc.2
rc2.158.1-rc.3
rc2.158.1-rc.4
rc2.158.1-rc.5
rc2.158.1-rc.6
rc2.158.1-rc.7
rc2.158.1-rc.8
rc2.158.1-rc.9
rc2.158.2-rc.2
rc2.158.2-rc.3
rc2.158.2-rc.4
rc2.158.2-rc.5
rc2.158.2-rc.6
rc2.158.2-rc.7
rc2.159.0-rc.10
rc2.159.0-rc.8
rc2.159.0-rc.9
rc2.159.1-rc.1
rc2.159.2-rc.1
rc2.159.2-rc.2
rc2.159.2-rc.3
rc2.159.3-rc.1
rc2.160.0-rc.2
rc2.160.0-rc.3
rc2.160.0-rc.4
rc2.160.0-rc.5
rc2.160.1-rc.1
rc2.160.1-rc.2
rc2.160.1-rc.3
rc2.160.1-rc.4
rc2.161.0-rc.5
rc2.161.0-rc.6
rc2.161.0-rc.7
rc2.161.0-rc.8
rc2.161.0-rc.9
rc2.161.1-rc.1
rc2.162.0-rc.2
rc2.162.0-rc.3
rc2.162.1-rc.1
rc2.162.2-rc.1
rc2.162.2-rc.3
rc2.162.2-rc.4
rc2.162.3-rc.1
rc2.162.3-rc.2
rc2.163.0-rc.10
rc2.163.0-rc.11
rc2.163.0-rc.3
rc2.163.0-rc.4
rc2.163.0-rc.5
rc2.163.0-rc.6
rc2.163.0-rc.7
rc2.163.0-rc.8
rc2.163.0-rc.9
rc2.163.1-rc.1
rc2.163.2-rc.1
rc2.164.0-rc.1
rc2.164.0-rc.10
rc2.164.0-rc.11
rc2.164.0-rc.2
rc2.164.0-rc.4
rc2.164.0-rc.5
rc2.164.0-rc.6
rc2.164.0-rc.7
rc2.164.0-rc.8
rc2.164.0-rc.9
rc2.165.0-rc.4
rc2.165.0-rc.5
rc2.165.0-rc.6
rc2.165.0-rc.7
rc2.165.0-rc.9
rc2.165.1-rc.1
rc2.165.1-rc.2
rc2.165.1-rc.3
rc2.165.1-rc.4
rc2.165.1-rc.5
rc2.165.1-rc.6
rc2.165.1-rc.7
rc2.166.0-rc.8
rc2.167.0-rc.1
rc2.168.0-rc.6
rc2.168.1-rc.2
rc2.169.0-rc.10
rc2.169.0-rc.11
rc2.169.0-rc.13
rc2.169.0-rc.14
rc2.169.0-rc.3
rc2.169.0-rc.4
rc2.169.0-rc.7
rc2.169.0-rc.9
rc2.169.1-rc.1
rc2.170.0-rc.10
rc2.170.0-rc.2
rc2.170.0-rc.3
rc2.170.0-rc.4
rc2.170.0-rc.5
rc2.170.0-rc.6
rc2.170.0-rc.8
rc2.170.0-rc.9
rc2.171.0-rc.14
rc2.171.0-rc.15
rc2.171.0-rc.4
rc2.171.0-rc.5
rc2.171.0-rc.6
rc2.171.0-rc.8
rc2.171.0-rc.9
rc2.172.0-rc.2
rc2.172.0-rc.3
rc2.172.0-rc.4
rc2.172.0-rc.5
rc2.172.0-rc.6
rc2.172.0-rc.7
rc2.172.0-rc.8
rc2.172.1-rc.1
rc2.172.2-rc.2
rc2.173.0-rc.3
rc2.173.0-rc.4
rc2.173.0-rc.5
rc2.174.0-rc.1
rc2.174.0-rc.2
rc2.174.0-rc.3
rc2.174.0-rc.4
rc2.175.0-rc.2
rc2.175.0-rc.3
rc2.176.0-rc.1
rc2.176.0-rc.2
rc2.176.1-rc.1
rc2.176.1-rc.2
rc2.176.2-rc.1
rc2.176.2-rc.6
rc2.177.0-rc.10
rc2.177.0-rc.11
rc2.177.0-rc.12
rc2.177.0-rc.13
rc2.177.0-rc.14
rc2.177.0-rc.7
rc2.177.0-rc.8
rc2.177.0-rc.9
rc2.178.0-rc.1
rc2.178.0-rc.2
rc2.178.0-rc.3
rc2.178.0-rc.4
rc2.178.0-rc.5
rc2.179.0-rc.1
rc2.179.0-rc.11
rc2.179.0-rc.16
rc2.179.0-rc.17
rc2.179.0-rc.18
rc2.179.0-rc.2
rc2.179.0-rc.20
rc2.179.0-rc.21
rc2.179.0-rc.3
rc2.179.0-rc.4
rc2.179.0-rc.5
rc2.179.0-rc.6
rc2.179.0-rc.7
rc2.179.0-rc.8
rc2.179.0-rc.9
rc2.180.0-rc.1
rc2.180.0-rc.10
rc2.180.0-rc.11
rc2.180.0-rc.12
rc2.180.0-rc.13
rc2.180.0-rc.14
rc2.180.0-rc.15
rc2.180.0-rc.16
rc2.180.0-rc.17
rc2.180.0-rc.2
rc2.181.0-rc.1
rc2.181.0-rc.10
rc2.181.0-rc.11
rc2.181.0-rc.12
rc2.181.0-rc.14
rc2.181.0-rc.15
rc2.181.0-rc.16
rc2.181.0-rc.17
rc2.181.0-rc.18
rc2.181.0-rc.19
rc2.181.0-rc.2
rc2.181.0-rc.3
rc2.181.0-rc.4
rc2.181.0-rc.5
rc2.181.0-rc.6
rc2.181.0-rc.7
rc2.181.0-rc.8
rc2.181.0-rc.9
rc2.182.0-rc.1
rc2.182.0-rc.2
rc2.182.1-rc.1
rc2.182.2-rc.1
rc2.182.2-rc.2
rc2.182.2-rc.3
rc2.183.0-rc.10
rc2.183.0-rc.4
rc2.183.0-rc.5
rc2.183.0-rc.6
rc2.183.0-rc.7
rc2.183.0-rc.8
rc2.183.0-rc.9
rc2.184.0-rc.3
rc2.184.0-rc.4
rc2.184.0-rc.5
rc2.185.0-rc.1
rc2.185.0-rc.11
rc2.185.0-rc.12
rc2.185.0-rc.13
rc2.185.0-rc.14
rc2.185.0-rc.3
rc2.185.0-rc.4
rc2.185.0-rc.5
rc2.185.0-rc.6
rc2.185.0-rc.7
rc2.185.0-rc.8
rc2.185.0-rc.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.11.0
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.18
v2.1.19
v2.1.2
v2.1.20
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.100.0
v2.101.0
v2.101.1
v2.101.2
v2.102.0
v2.103.0
v2.104.0
v2.104.1
v2.104.2
v2.104.3
v2.105.0
v2.105.1
v2.106.0
v2.106.1
v2.106.2
v2.107.0
v2.108.0
v2.109.0
v2.109.1
v2.11.0
v2.110.0
v2.111.0
v2.112.0
v2.113.0
v2.114.0
v2.114.1
v2.115.0
v2.115.1
v2.116.0
v2.117.0
v2.118.0
v2.119.0
v2.12.0
v2.120.0
v2.121.0
v2.122.0
v2.123.0
v2.124.0
v2.125.0
v2.125.1
v2.126.0
v2.126.1
v2.127.0
v2.127.1
v2.127.2
v2.128.0
v2.129.0
v2.129.1
v2.13.0
v2.13.1
v2.130.0
v2.130.1
v2.131.0
v2.132.0
v2.132.1
v2.132.2
v2.132.3
v2.133.0
v2.134.0
v2.135.0
v2.136.0
v2.137.0
v2.138.0
v2.139.0
v2.139.1
v2.139.2
v2.14.0
v2.140.0
v2.141.0
v2.142.0
v2.143.0
v2.144.0
v2.145.0
v2.146.0
v2.147.0
v2.147.1
v2.148.0
v2.149.0
v2.15.0
v2.15.1
v2.15.2
v2.15.3
v2.15.4
v2.15.5
v2.150.0
v2.150.1
v2.151.0
v2.152.0
v2.153.0
v2.154.0
v2.154.1
v2.154.2
v2.155.0
v2.155.1
v2.155.2
v2.155.3
v2.155.4
v2.155.5
v2.155.6
v2.156.0
v2.157.0
v2.158.0
v2.158.1
v2.159.0
v2.159.1
v2.159.2
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.16.4
v2.16.5
v2.16.6
v2.16.7
v2.16.8
v2.160.0
v2.161.0
v2.162.0
v2.162.1
v2.162.2
v2.163.0
v2.163.1
v2.163.2
v2.164.0
v2.165.0
v2.166.0
v2.167.0
v2.168.0
v2.169.0
v2.17.0
v2.17.1
v2.17.2
v2.17.3
v2.17.4
v2.17.5
v2.170.0
v2.171.0
v2.172.0
v2.172.1
v2.173.0
v2.174.0
v2.175.0
v2.176.0
v2.176.1
v2.177.0
v2.178.0
v2.179.0
v2.18.0
v2.18.1
v2.180.0
v2.181.0
v2.182.0
v2.182.1
v2.183.0
v2.184.0
v2.19.0
v2.19.1
v2.19.2
v2.19.3
v2.19.4
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.22.2
v2.23.0
v2.23.1
v2.23.2
v2.24.0
v2.25.0
v2.25.1
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.3.0
v2.3.1
v2.3.10
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.30.0
v2.30.1
v2.30.2
v2.30.3
v2.30.4
v2.30.5
v2.31.0
v2.31.1
v2.31.2
v2.32.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.33.0
v2.33.1
v2.33.2
v2.33.3
v2.34.0
v2.35.0
v2.36.0
v2.36.1
v2.37.0
v2.37.1
v2.37.2
v2.37.3
v2.37.4
v2.38.0
v2.38.1
v2.38.2
v2.38.3
v2.38.4
v2.38.5
v2.39.0
v2.4.0
v2.4.1
v2.40.0
v2.40.1
v2.40.2
v2.40.3
v2.41.0
v2.41.1
v2.41.2
v2.41.3
v2.41.4
v2.42.0
v2.42.1
v2.42.2
v2.43.0
v2.43.1
v2.44.0
v2.44.1
v2.45.0
v2.46.0
v2.47.0
v2.47.1
v2.48.0
v2.49.0
v2.5.0
v2.5.1
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.14
v2.5.15
v2.5.16
v2.5.17
v2.5.18
v2.5.19
v2.5.2
v2.5.20
v2.5.21
v2.5.22
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.50.0
v2.51.0
v2.51.1
v2.51.2
v2.51.3
v2.51.4
v2.52.0
v2.52.1
v2.52.2
v2.53.0
v2.54.0
v2.55.0
v2.56.0
v2.57.0
v2.57.1
v2.57.2
v2.58.0
v2.59.0
v2.59.1
v2.59.2
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.18
v2.6.19
v2.6.2
v2.6.20
v2.6.21
v2.6.22
v2.6.23
v2.6.24
v2.6.25
v2.6.26
v2.6.27
v2.6.28
v2.6.29
v2.6.3
v2.6.30
v2.6.31
v2.6.32
v2.6.33
v2.6.34
v2.6.35
v2.6.36
v2.6.37
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.60.0
v2.60.1
v2.60.2
v2.60.3
v2.60.4
v2.60.5
v2.60.6
v2.60.7
v2.60.8
v2.60.9
v2.61.0
v2.62.0
v2.62.1
v2.63.0
v2.64.0
v2.65.0
v2.65.1
v2.66.0
v2.66.1
v2.67.0
v2.67.1
v2.68.0
v2.69.0
v2.69.1
v2.69.2
v2.69.3
v2.7.0
v2.7.1
v2.7.2
v2.70.0
v2.71.0
v2.72.0
v2.72.1
v2.73.0
v2.74.0
v2.74.1
v2.74.2
v2.74.3
v2.75.0
v2.76.0
v2.77.0
v2.77.1
v2.78.0
v2.79.0
v2.79.1
v2.79.2
v2.8.0
v2.8.1
v2.80.0
v2.81.0
v2.82.0
v2.82.1
v2.82.2
v2.82.3
v2.82.4
v2.83.0
v2.83.1
v2.83.2
v2.84.0
v2.84.1
v2.85.0
v2.86.0
v2.87.0
v2.87.1
v2.87.2
v2.88.0
v2.89.0
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.90.0
v2.90.1
v2.91.0
v2.91.1
v2.92.0
v2.92.1
v2.93.0
v2.94.0
v2.95.0
v2.95.1
v2.95.2
v2.96.0
v2.97.0
v2.97.1
v2.98.0
v2.98.1
v2.98.2
v2.98.3
v2.99.0