High-Severity Vulnerability Discovered in OneLogin IAM Solution
On October 1, 2025, a significant security flaw has come to light within the One Identity OneLogin Identity and Access Management (IAM) solution. This vulnerability, if exploited, has the potential to expose sensitive OpenID Connect (OIDC) application client secrets, raising serious concerns among users and organizations relying on this technology.
Understanding the Vulnerability: CVE-2025-59363
This issue, designated as CVE-2025-59363, has received a CVSS score of 7.7 out of 10, categorizing it as a high-severity vulnerability. It arises from an incorrect implementation of resource transfers, specifically highlighted as CWE-669. Essentially, this flaw allows unauthorized access to confidential data or functions by crossing established security boundaries.
According to a report from Clutch Security shared with The Hacker News, this vulnerability permits attackers with valid API credentials to access and enumerate client secrets for all OIDC applications residing within a OneLogin tenant.
How the Vulnerability Works
The root of the problem lies in the /api/2/apps endpoint of the OneLogin application, which is improperly configured. This endpoint returns excessive data—specifically, client_secret values—alongside other application metadata within a user’s OneLogin account.
Here’s a step-by-step breakdown of how the attack could be executed:
- The attacker uses valid OneLogin API credentials, including the client ID and secret, for authentication.
- A request for an access token is issued.
- The attacker calls the /api/2/apps endpoint to fetch a comprehensive list of applications.
- The API response is then parsed to extract client secrets for all OIDC applications.
- With the obtained client secrets, the attacker could impersonate applications and gain access to integrated services.
This exploit provides a pathway for attackers to leverage the retrieved secrets to impersonate users, allowing for unauthorized access to various applications and services.
Impact and Scope of the Flaw
The ability to exploit this vulnerability is particularly concerning due to OneLogin’s role-based access control (RBAC). This system grants API keys considerable access across multiple endpoints, meaning compromised credentials could have widespread implications. Furthermore, the lack of IP address allowlisting means that this flaw could theoretically be exploited from any location worldwide.
Clutch Security emphasized that such vulnerabilities in identity providers can have cascading effects throughout an organization’s entire technology stack, underscoring the critical need for robust API security.
Response from OneLogin
Following a responsible disclosure of the vulnerability on July 18, 2025, OneLogin released an update in version 2025.3.0 to rectify the problem. This release effectively made OIDC client_secret values invisible, mitigating the risks associated with the flaw. Importantly, there’s no evidence that this vulnerability was exploited in the wild.
Stuart Sharp, Vice President of Product at One Identity for OneLogin, expressed that customer protection remains the top priority. He acknowledged Clutch Security’s responsible disclosure and stated, "The reported vulnerability was resolved within a reasonable timeframe with the OneLogin 2025.3.0 release. To our knowledge, no customers were impacted by this vulnerability."
Importance of Rigorous API Security
As highlighted by Clutch Security, identity providers play a crucial role in the overall security architecture of enterprises. Vulnerabilities within these systems necessitate stringent measures to ensure comprehensive API security. Companies must remain vigilant in monitoring and addressing any potential weaknesses to prevent substantial security breaches.
By staying informed and proactive, organizations can better protect themselves from such vulnerabilities and maintain the integrity of their data security measures.
