{"id":"CVE-2026-31813","summary":"Supabase Auth has insecure Apple and Azure authentication with ID tokens","details":"Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.","aliases":["GHSA-v36f-qvww-8w8m"],"modified":"2026-04-10T05:42:49.994322Z","published":"2026-03-11T16:42:56.606Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31813.json","cwe_ids":["CWE-290"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31813.json"},{"type":"ADVISORY","url":"https://github.com/supabase/auth/security/advisories/GHSA-v36f-qvww-8w8m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31813"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/supabase/auth","events":[{"introduced":"0"},{"fixed":"711763ce9c68c2b133e2f284e9e5fe6db56e3be1"}]}],"versions":["rc2.139.2-rc.13","rc2.139.2-rc.15","rc2.139.2-rc.16","rc2.139.2-rc.3","rc2.139.2-rc.6","rc2.139.2-rc.7","rc2.139.2-rc.9","rc2.140.0-rc.1","rc2.140.0-rc.2","rc2.141.0-rc.1","rc2.141.0-rc.2","rc2.142.0-rc.1","rc2.142.0-rc.2","rc2.142.1-rc.1","rc2.142.1-rc.2","rc2.142.1-rc.3","rc2.142.1-rc.4","rc2.142.1-rc.5","rc2.142.1-rc.6","rc2.142.1-rc.7","rc2.143.0-rc.8","rc2.143.1-rc.1","rc2.144.0-rc.1","rc2.144.0-rc.10","rc2.144.0-rc.11","rc2.144.0-rc.12","rc2.144.0-rc.2","rc2.144.0-rc.3","rc2.144.0-rc.4","rc2.144.0-rc.5","rc2.144.0-rc.7","rc2.144.0-rc.8","rc2.144.0-rc.9","rc2.144.1-rc.1","rc2.145.0-rc.1","rc2.145.0-rc.10","rc2.145.0-rc.11","rc2.145.0-rc.12","rc2.145.0-rc.13","rc2.145.0-rc.14","rc2.145.0-rc.15","rc2.145.0-rc.17","rc2.145.0-rc.18","rc2.145.0-rc.19","rc2.145.0-rc.2","rc2.145.0-rc.20","rc2.145.0-rc.21","rc2.145.0-rc.22","rc2.145.0-rc.3","rc2.145.0-rc.4","rc2.145.0-rc.5","rc2.145.0-rc.6","rc2.145.0-rc.8","rc2.145.0-rc.9","rc2.146.0-rc.1","rc2.146.0-rc.10","rc2.146.0-rc.11","rc2.146.0-rc.12","rc2.146.0-rc.2","rc2.146.0-rc.4","rc2.146.0-rc.5","rc2.146.0-rc.7","rc2.146.0-rc.8","rc2.146.0-rc.9","rc2.147.0-rc.2","rc2.147.1-rc.1","rc2.147.1-rc.2","rc2.148.0-rc.1","rc2.149.0-rc.1","rc2.149.0-rc.2","rc2.149.0-rc.3","rc2.149.0-rc.4","rc2.150.0-rc.1","rc2.150.0-rc.2","rc2.150.0-rc.3","rc2.150.0-rc.5","rc2.150.0-rc.6","rc2.150.0-rc.7","rc2.150.1-rc.1","rc2.150.1-rc.2","rc2.150.2-rc.1","rc2.150.2-rc.2","rc2.150.2-rc.3","rc2.151.0-rc.4","rc2.152.0-rc.1","rc2.152.0-rc.2","rc2.152.0-rc.3","rc2.152.0-rc.4","rc2.152.0-rc.5","rc2.152.0-rc.7","rc2.152.1-rc.1","rc2.152.1-rc.2","rc2.152.1-rc.3","rc2.153.0-rc.10","rc2.153.0-rc.4","rc2.153.0-rc.5","rc2.153.0-rc.6","rc2.153.0-rc.7","rc2.154.0-rc.1","rc2.154.0-rc.2","rc2.154.0-rc.4","rc2.154.0-rc.5","rc2.154.0-rc.6","rc2.154.0-rc.8","rc2.154.0-rc.9","rc2.154.1-rc.1","rc2.154.1-rc.2","rc2.154.2-rc.1","rc2.154.2-rc.2","rc2.154.2-rc.3","rc2.154.3-rc.1","rc2.154.3-rc.2","rc2.154.3-rc.3","rc2.154.3-rc.4","rc2.154.3-rc.5","rc2.155.0-rc.6","rc2.155.1-rc.1","rc2.155.1-rc.2","rc2.155.1-rc.3","rc2.155.2-rc.2","rc2.155.2-rc.4","rc2.155.2-rc.5","rc2.155.3-rc.1","rc2.155.4-rc.1","rc2.155.5-rc.1","rc2.155.5-rc.2","rc2.155.5-rc.3","rc2.155.6-rc.1","rc2.155.7-rc.1","rc2.156.0-rc.2","rc2.157.0-rc.1","rc2.157.1-rc.1","rc2.158.0-rc.1","rc2.158.0-rc.2","rc2.158.0-rc.3","rc2.158.0-rc.4","rc2.158.0-rc.5","rc2.158.0-rc.6","rc2.158.0-rc.7","rc2.158.1-rc.1","rc2.158.1-rc.10","rc2.158.1-rc.11","rc2.158.1-rc.2","rc2.158.1-rc.3","rc2.158.1-rc.4","rc2.158.1-rc.5","rc2.158.1-rc.6","rc2.158.1-rc.7","rc2.158.1-rc.8","rc2.158.1-rc.9","rc2.158.2-rc.2","rc2.158.2-rc.3","rc2.158.2-rc.4","rc2.158.2-rc.5","rc2.158.2-rc.6","rc2.158.2-rc.7","rc2.159.0-rc.10","rc2.159.0-rc.8","rc2.159.0-rc.9","rc2.159.1-rc.1","rc2.159.2-rc.1","rc2.159.2-rc.2","rc2.159.2-rc.3","rc2.159.3-rc.1","rc2.160.0-rc.2","rc2.160.0-rc.3","rc2.160.0-rc.4","rc2.160.0-rc.5","rc2.160.1-rc.1","rc2.160.1-rc.2","rc2.160.1-rc.3","rc2.160.1-rc.4","rc2.161.0-rc.5","rc2.161.0-rc.6","rc2.161.0-rc.7","rc2.161.0-rc.8","rc2.161.0-rc.9","rc2.161.1-rc.1","rc2.162.0-rc.2","rc2.162.0-rc.3","rc2.162.1-rc.1","rc2.162.2-rc.1","rc2.162.2-rc.3","rc2.162.2-rc.4","rc2.162.3-rc.1","rc2.162.3-rc.2","rc2.163.0-rc.10","rc2.163.0-rc.11","rc2.163.0-rc.3","rc2.163.0-rc.4","rc2.163.0-rc.5","rc2.163.0-rc.6","rc2.163.0-rc.7","rc2.163.0-rc.8","rc2.163.0-rc.9","rc2.163.1-rc.1","rc2.163.2-rc.1","rc2.164.0-rc.1","rc2.164.0-rc.10","rc2.164.0-rc.11","rc2.164.0-rc.2","rc2.164.0-rc.4","rc2.164.0-rc.5","rc2.164.0-rc.6","rc2.164.0-rc.7","rc2.164.0-rc.8","rc2.164.0-rc.9","rc2.165.0-rc.4","rc2.165.0-rc.5","rc2.165.0-rc.6","rc2.165.0-rc.7","rc2.165.0-rc.9","rc2.165.1-rc.1","rc2.165.1-rc.2","rc2.165.1-rc.3","rc2.165.1-rc.4","rc2.165.1-rc.5","rc2.165.1-rc.6","rc2.165.1-rc.7","rc2.166.0-rc.8","rc2.167.0-rc.1","rc2.168.0-rc.6","rc2.168.1-rc.2","rc2.169.0-rc.10","rc2.169.0-rc.11","rc2.169.0-rc.13","rc2.169.0-rc.14","rc2.169.0-rc.3","rc2.169.0-rc.4","rc2.169.0-rc.7","rc2.169.0-rc.9","rc2.169.1-rc.1","rc2.170.0-rc.10","rc2.170.0-rc.2","rc2.170.0-rc.3","rc2.170.0-rc.4","rc2.170.0-rc.5","rc2.170.0-rc.6","rc2.170.0-rc.8","rc2.170.0-rc.9","rc2.171.0-rc.14","rc2.171.0-rc.15","rc2.171.0-rc.4","rc2.171.0-rc.5","rc2.171.0-rc.6","rc2.171.0-rc.8","rc2.171.0-rc.9","rc2.172.0-rc.2","rc2.172.0-rc.3","rc2.172.0-rc.4","rc2.172.0-rc.5","rc2.172.0-rc.6","rc2.172.0-rc.7","rc2.172.0-rc.8","rc2.172.1-rc.1","rc2.172.2-rc.2","rc2.173.0-rc.3","rc2.173.0-rc.4","rc2.173.0-rc.5","rc2.174.0-rc.1","rc2.174.0-rc.2","rc2.174.0-rc.3","rc2.174.0-rc.4","rc2.175.0-rc.2","rc2.175.0-rc.3","rc2.176.0-rc.1","rc2.176.0-rc.2","rc2.176.1-rc.1","rc2.176.1-rc.2","rc2.176.2-rc.1","rc2.176.2-rc.6","rc2.177.0-rc.10","rc2.177.0-rc.11","rc2.177.0-rc.12","rc2.177.0-rc.13","rc2.177.0-rc.14","rc2.177.0-rc.7","rc2.177.0-rc.8","rc2.177.0-rc.9","rc2.178.0-rc.1","rc2.178.0-rc.2","rc2.178.0-rc.3","rc2.178.0-rc.4","rc2.178.0-rc.5","rc2.179.0-rc.1","rc2.179.0-rc.11","rc2.179.0-rc.16","rc2.179.0-rc.17","rc2.179.0-rc.18","rc2.179.0-rc.2","rc2.179.0-rc.20","rc2.179.0-rc.21","rc2.179.0-rc.3","rc2.179.0-rc.4","rc2.179.0-rc.5","rc2.179.0-rc.6","rc2.179.0-rc.7","rc2.179.0-rc.8","rc2.179.0-rc.9","rc2.180.0-rc.1","rc2.180.0-rc.10","rc2.180.0-rc.11","rc2.180.0-rc.12","rc2.180.0-rc.13","rc2.180.0-rc.14","rc2.180.0-rc.15","rc2.180.0-rc.16","rc2.180.0-rc.17","rc2.180.0-rc.2","rc2.181.0-rc.1","rc2.181.0-rc.10","rc2.181.0-rc.11","rc2.181.0-rc.12","rc2.181.0-rc.14","rc2.181.0-rc.15","rc2.181.0-rc.16","rc2.181.0-rc.17","rc2.181.0-rc.18","rc2.181.0-rc.19","rc2.181.0-rc.2","rc2.181.0-rc.3","rc2.181.0-rc.4","rc2.181.0-rc.5","rc2.181.0-rc.6","rc2.181.0-rc.7","rc2.181.0-rc.8","rc2.181.0-rc.9","rc2.182.0-rc.1","rc2.182.0-rc.2","rc2.182.1-rc.1","rc2.182.2-rc.1","rc2.182.2-rc.2","rc2.182.2-rc.3","rc2.183.0-rc.10","rc2.183.0-rc.4","rc2.183.0-rc.5","rc2.183.0-rc.6","rc2.183.0-rc.7","rc2.183.0-rc.8","rc2.183.0-rc.9","rc2.184.0-rc.3","rc2.184.0-rc.4","rc2.184.0-rc.5","rc2.185.0-rc.1","rc2.185.0-rc.11","rc2.185.0-rc.12","rc2.185.0-rc.13","rc2.185.0-rc.14","rc2.185.0-rc.3","rc2.185.0-rc.4","rc2.185.0-rc.5","rc2.185.0-rc.6","rc2.185.0-rc.7","rc2.185.0-rc.8","rc2.185.0-rc.9","v1.0.0","v1.0.1","v1.0.2","v1.1.0","v1.1.1","v1.1.2","v1.10.0","v1.10.1","v1.10.2","v1.11.0","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.4.0","v1.4.1","v1.4.10","v1.4.11","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.7.2","v1.7.3","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.9.0","v1.9.1","v2.0.0","v2.0.1","v2.0.10","v2.0.11","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.16","v2.1.17","v2.1.18","v2.1.19","v2.1.2","v2.1.20","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.10.0","v2.10.1","v2.10.2","v2.10.3","v2.100.0","v2.101.0","v2.101.1","v2.101.2","v2.102.0","v2.103.0","v2.104.0","v2.104.1","v2.104.2","v2.104.3","v2.105.0","v2.105.1","v2.106.0","v2.106.1","v2.106.2","v2.107.0","v2.108.0","v2.109.0","v2.109.1","v2.11.0","v2.110.0","v2.111.0","v2.112.0","v2.113.0","v2.114.0","v2.114.1","v2.115.0","v2.115.1","v2.116.0","v2.117.0","v2.118.0","v2.119.0","v2.12.0","v2.120.0","v2.121.0","v2.122.0","v2.123.0","v2.124.0","v2.125.0","v2.125.1","v2.126.0","v2.126.1","v2.127.0","v2.127.1","v2.127.2","v2.128.0","v2.129.0","v2.129.1","v2.13.0","v2.13.1","v2.130.0","v2.130.1","v2.131.0","v2.132.0","v2.132.1","v2.132.2","v2.132.3","v2.133.0","v2.134.0","v2.135.0","v2.136.0","v2.137.0","v2.138.0","v2.139.0","v2.139.1","v2.139.2","v2.14.0","v2.140.0","v2.141.0","v2.142.0","v2.143.0","v2.144.0","v2.145.0","v2.146.0","v2.147.0","v2.147.1","v2.148.0","v2.149.0","v2.15.0","v2.15.1","v2.15.2","v2.15.3","v2.15.4","v2.15.5","v2.150.0","v2.150.1","v2.151.0","v2.152.0","v2.153.0","v2.154.0","v2.154.1","v2.154.2","v2.155.0","v2.155.1","v2.155.2","v2.155.3","v2.155.4","v2.155.5","v2.155.6","v2.156.0","v2.157.0","v2.158.0","v2.158.1","v2.159.0","v2.159.1","v2.159.2","v2.16.0","v2.16.1","v2.16.2","v2.16.3","v2.16.4","v2.16.5","v2.16.6","v2.16.7","v2.16.8","v2.160.0","v2.161.0","v2.162.0","v2.162.1","v2.162.2","v2.163.0","v2.163.1","v2.163.2","v2.164.0","v2.165.0","v2.166.0","v2.167.0","v2.168.0","v2.169.0","v2.17.0","v2.17.1","v2.17.2","v2.17.3","v2.17.4","v2.17.5","v2.170.0","v2.171.0","v2.172.0","v2.172.1","v2.173.0","v2.174.0","v2.175.0","v2.176.0","v2.176.1","v2.177.0","v2.178.0","v2.179.0","v2.18.0","v2.18.1","v2.180.0","v2.181.0","v2.182.0","v2.182.1","v2.183.0","v2.184.0","v2.19.0","v2.19.1","v2.19.2","v2.19.3","v2.19.4","v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.14","v2.2.15","v2.2.16","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.20.0","v2.21.0","v2.22.0","v2.22.1","v2.22.2","v2.23.0","v2.23.1","v2.23.2","v2.24.0","v2.25.0","v2.25.1","v2.26.0","v2.27.0","v2.28.0","v2.29.0","v2.3.0","v2.3.1","v2.3.10","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.30.0","v2.30.1","v2.30.2","v2.30.3","v2.30.4","v2.30.5","v2.31.0","v2.31.1","v2.31.2","v2.32.0","v2.32.1","v2.32.2","v2.32.3","v2.32.4","v2.32.5","v2.33.0","v2.33.1","v2.33.2","v2.33.3","v2.34.0","v2.35.0","v2.36.0","v2.36.1","v2.37.0","v2.37.1","v2.37.2","v2.37.3","v2.37.4","v2.38.0","v2.38.1","v2.38.2","v2.38.3","v2.38.4","v2.38.5","v2.39.0","v2.4.0","v2.4.1","v2.40.0","v2.40.1","v2.40.2","v2.40.3","v2.41.0","v2.41.1","v2.41.2","v2.41.3","v2.41.4","v2.42.0","v2.42.1","v2.42.2","v2.43.0","v2.43.1","v2.44.0","v2.44.1","v2.45.0","v2.46.0","v2.47.0","v2.47.1","v2.48.0","v2.49.0","v2.5.0","v2.5.1","v2.5.10","v2.5.11","v2.5.12","v2.5.13","v2.5.14","v2.5.15","v2.5.16","v2.5.17","v2.5.18","v2.5.19","v2.5.2","v2.5.20","v2.5.21","v2.5.22","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.5.8","v2.5.9","v2.50.0","v2.51.0","v2.51.1","v2.51.2","v2.51.3","v2.51.4","v2.52.0","v2.52.1","v2.52.2","v2.53.0","v2.54.0","v2.55.0","v2.56.0","v2.57.0","v2.57.1","v2.57.2","v2.58.0","v2.59.0","v2.59.1","v2.59.2","v2.6.0","v2.6.1","v2.6.10","v2.6.11","v2.6.12","v2.6.13","v2.6.14","v2.6.15","v2.6.16","v2.6.17","v2.6.18","v2.6.19","v2.6.2","v2.6.20","v2.6.21","v2.6.22","v2.6.23","v2.6.24","v2.6.25","v2.6.26","v2.6.27","v2.6.28","v2.6.29","v2.6.3","v2.6.30","v2.6.31","v2.6.32","v2.6.33","v2.6.34","v2.6.35","v2.6.36","v2.6.37","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.6.9","v2.60.0","v2.60.1","v2.60.2","v2.60.3","v2.60.4","v2.60.5","v2.60.6","v2.60.7","v2.60.8","v2.60.9","v2.61.0","v2.62.0","v2.62.1","v2.63.0","v2.64.0","v2.65.0","v2.65.1","v2.66.0","v2.66.1","v2.67.0","v2.67.1","v2.68.0","v2.69.0","v2.69.1","v2.69.2","v2.69.3","v2.7.0","v2.7.1","v2.7.2","v2.70.0","v2.71.0","v2.72.0","v2.72.1","v2.73.0","v2.74.0","v2.74.1","v2.74.2","v2.74.3","v2.75.0","v2.76.0","v2.77.0","v2.77.1","v2.78.0","v2.79.0","v2.79.1","v2.79.2","v2.8.0","v2.8.1","v2.80.0","v2.81.0","v2.82.0","v2.82.1","v2.82.2","v2.82.3","v2.82.4","v2.83.0","v2.83.1","v2.83.2","v2.84.0","v2.84.1","v2.85.0","v2.86.0","v2.87.0","v2.87.1","v2.87.2","v2.88.0","v2.89.0","v2.9.0","v2.9.1","v2.9.2","v2.9.3","v2.90.0","v2.90.1","v2.91.0","v2.91.1","v2.92.0","v2.92.1","v2.93.0","v2.94.0","v2.95.0","v2.95.1","v2.95.2","v2.96.0","v2.97.0","v2.97.1","v2.98.0","v2.98.1","v2.98.2","v2.98.3","v2.99.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31813.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}