OneLogin OIDC Client Secret Exposure via API Key Misconfiguration
Summary
Hide ▲
Show ▼
A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.
Timeline
-
01.10.2025 16:27 1 articles · 9h ago
OneLogin OIDC Client Secret Exposure via API Key Misconfiguration
A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.
Show sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
Information Snippets
-
CVE-2025-59363 is a high-severity flaw in OneLogin's IAM solution with a CVSS score of 7.7.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
The vulnerability allowed attackers with valid API credentials to retrieve client secrets for all OIDC applications within an organization's OneLogin tenant.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
The flaw was due to the /api/2/apps endpoint returning more data than expected, including client_secret values.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
Successful exploitation could enable impersonation and unauthorized access to integrated services.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
OneLogin's RBAC grants API keys broad endpoint access, potentially allowing access to sensitive endpoints across the platform.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
The vulnerability was addressed in OneLogin 2025.3.0, released in September 2025.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27
-
There is no evidence that the issue was exploited in the wild.
First reported: 01.10.2025 16:271 source, 1 articleShow sources
- OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps — thehackernews.com — 01.10.2025 16:27