Fadymak

**Name of the Vulnerable Software and Affected Versions** Supabase Auth versions prior to 2.185.0 **Description** Supabase Auth is a JWT based API used for managing users and issuing JWT tokens. A flaw exists where an attacker can create sessions for any user by using specially crafted ID tokens when Apple or Azure providers are enabled. The attacker sends a valid, asymmetrically signed ID token to the Supabase Auth token endpoint using the ID token flow. If the ID token conforms to OIDC standards, the Auth server validates it against the attacker’s issuer, linking the victim’s existing OIDC identity (Apple or Azure) to a new OIDC identity based on the token’s content. This allows the attacker to obtain a valid user session, including access and refresh tokens, at the AAL1 level. **Recommendations** Versions prior to 2.185.0 should be updated to version 2.185.0 or later.