CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

OneLogin OIDC Client Secret Exposure via API Key Misconfiguration

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.

Timeline

  1. 01.10.2025 16:27 1 articles · 9h ago

    OneLogin OIDC Client Secret Exposure via API Key Misconfiguration

    A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.

    Show sources

Information Snippets