Skip to main content

Microsoft CVE-2026-31813

MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-03-11 security-advisories@github.com
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 17:16 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the Auth server would validate it against the attacker-controlled issuer and link the existing OIDC identity (Apple or Azure) of the victim to an additional OIDC identity based on the ID token contents. The Auth server would then issue a valid user session (access and refresh tokens) at the AAL1 level to the attacker. This vulnerability is fixed in 2.185.0.

AnalysisAI

Supabase Auth allows remote attackers to hijack user sessions by crafting fraudulent ID tokens when Apple or Azure OAuth providers are configured, enabling unauthorized access to victim accounts without requiring user interaction. An attacker can forge a valid JWT token for any target email address and exchange it at the token endpoint to obtain legitimate session credentials, effectively impersonating arbitrary users. This affects organizations using Supabase with Apple or Azure authentication enabled, with no patch currently available to remediate the vulnerability.

Technical ContextAI

This vulnerability (CWE-290: Authentication Bypass by Spoofing) affects Supabase Auth is a JWT based API for managing users and issuing JWT tokens.. Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid, asymmetrically signed ID token from their issuer for each victim email address, which then is sent to the Supabase Auth token endpoint using the ID token flow. If the ID token is OIDC compliant, the

RemediationAI

Fixed in version 2.185.0.. Restrict network access to the affected service where possible.

Share

CVE-2026-31813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy