Date: Oct 01, 2025
Author: Ravie Lakshmanan
Tags: Vulnerability / API Security
A critical security vulnerability has been uncovered in the One Identity OneLogin Identity and Access Management (IAM) solution. This flaw, if exploited, could potentially expose sensitive OpenID Connect (OIDC) application client secrets. The vulnerability, identified as CVE-2025-59363, has a CVSS score of 7.7 out of 10.0 and is categorized as a case of incorrect resource transfer between spheres (CWE-669), leading to unauthorized access to confidential data or functions.
According to Clutch Security, the flaw allowed attackers with valid API credentials to retrieve client secrets for all OIDC applications within an organization’s OneLogin tenant. The root cause of the issue lies in the configuration of the application listing endpoint, which inadvertently exposed client_secret values in the API response.
The attack scenario involves using valid API credentials to authenticate, requesting an access token, listing all applications through the /api/2/apps endpoint, parsing the response to extract client secrets, and finally leveraging these secrets to impersonate applications and access integrated services.
If successfully exploited, the vulnerability could grant an attacker unauthorized access to client secrets for all OIDC applications within a OneLogin tenant. This compromised access could be further exploited to impersonate users and gain entry to other applications, potentially enabling lateral movement within the platform.
Following responsible disclosure, OneLogin addressed the vulnerability in the OneLogin 2025.3.0 release by making OIDC client_secret values no longer visible. There is no evidence to suggest that the flaw was exploited in the wild.
Clutch Security emphasized the critical nature of API security in identity providers, stating that vulnerabilities in these systems can have widespread repercussions across entire technology stacks.
