High-Severty Security Flaw Discovered in One Identity OneLogin IAM Solution
On October 1, 2025, a high-severity security flaw was disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution. This vulnerability, if successfully exploited, could potentially expose sensitive OpenID Connect (OIDC) application client secrets under certain circumstances.
The vulnerability, known as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It has been categorized as a case of incorrect resource transfer between spheres (CWE-669), which can lead to a program crossing security boundaries and gaining unauthorized access to confidential data or functions.
Details of the Vulnerability
According to a report shared with The Hacker News by Clutch Security, CVE-2025-59363 allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization’s OneLogin tenant.
The root cause of the issue lies in the configuration of the application listing endpoint (/api/2/apps), which was designed to return more data than expected. This included client_secret values in the API response along with metadata related to the apps in a OneLogin account.
The steps to exploit the vulnerability are as follows:
- Attacker uses valid OneLogin API credentials (client ID and secret) to authenticate
- Request access token
- Call the /api/2/apps endpoint to list all applications
- Parse the response to retrieve client secrets for all OIDC applications
- Use extracted client secrets to impersonate applications and access integrated services
Potential Impact and Resolution
If successfully exploited, the flaw could enable an attacker to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. With this access, the threat actor could impersonate users and gain entry to other applications, facilitating lateral movement.
OneLogin’s role-based access control (RBAC) grants API keys broad endpoint access, allowing compromised credentials to access sensitive endpoints across the platform. Additionally, the lack of IP address allowlisting could enable attackers to exploit the vulnerability from anywhere in the world.
Following responsible disclosure on July 18, 2025, the vulnerability was addressed in OneLogin 2025.3.0. This update made OIDC client_secret values no longer visible, mitigating the risk. There is no evidence to suggest that the flaw was ever exploited in the wild.
In response to the disclosure, Stuart Sharp, VP of Product at One Identity for OneLogin, stated, “Protecting our customers is our top priority, and we appreciate the responsible disclosure by Clutch Security. The reported vulnerability was resolved within a reasonable timeframe with the OneLogin 2025.3.0 release. To our knowledge, no customers were impacted by this vulnerability.”
Conclusion
According to Clutch Security, “Identity providers serve as the backbone of enterprise security architecture. Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential.”
For more information, you can access the full article Here.