Security Flaw in Supabase Auth API for User Management
CVE-2026-31813

4.8MEDIUM

Key Information:

Vendor: Supabase
Status: Auth
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31813?

A security vulnerability exists in the Supabase Auth API prior to version 2.185.0 that enables attackers to exploit ID tokens, allowing them to create sessions for any user by submitting specially crafted tokens issued by Apple or Azure. The system improperly verifies ID tokens against control by an attacker, which can lead to unauthorized user session generation, giving attackers access to victim accounts.

Affected Version(s)

auth < 2.185.0

References

https://github.com/supabase/auth/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31813 Data

JSON