OneLogin API Vulnerability Allowed Secret Theft, App Impersonation
A critical flaw in the One Identity OneLogin platform could have allowed attackers to pilfer sensitive OpenID Connect client secrets. Experts warn that exploiting the vulnerability could have let malicious actors impersonate legitimate applications, potentially granting them unauthorized access to user data and systems.
A serious security vulnerability was recently discovered in One Identity's OneLogin Identity and Access Management (IAM) solution. The issue? Under certain conditions, attackers could have potentially accessed sensitive OpenID Connect (OIDC) application client secrets. Let's break down what that means.
The Vulnerability: CVE-2025-59363
Designated as CVE-2025-59363 and given a severity score of 7.7 out of 10, this flaw essentially involved a program crossing security boundaries. Think of it like accidentally giving someone the keys to the entire building instead of just their office. This is officially classified as incorrect resource transfer between spheres (CWE-669).
According to a report by Clutch Security, they found that "attackers with valid API credentials could enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant." Yikes.
The problem lay in the application listing endpoint – /api/2/apps. It was returning more information than it should have, specifically the client_secret values alongside other app metadata.
How the Attack Worked:
Here's a step-by-step of how an attacker could exploit this:
- Step 1: Use valid OneLogin API credentials (client ID and secret) to get authenticated.
- Step 2: Request an access token.
- Step 3: Call the
/api/2/appsendpoint to list all the applications. - Step 4: Parse the response, grabbing those client secrets for all the OIDC applications.
- Step 5: Use those stolen secrets to impersonate applications and access integrated services.
Essentially, with the right (or rather, *wrong*) access, an attacker could grab the keys to the kingdom and move laterally through other applications.
Why This Was So Dangerous
OneLogin's role-based access control (RBAC) grants API keys fairly broad access, meaning a compromised key could unlock access to sensitive endpoints across the platform. Plus, the lack of IP address allowlisting meant attackers could try this from anywhere in the world, according to Clutch Security.
The Fix is In
Fortunately, OneLogin addressed this issue in OneLogin 2025.3.0, released last month. The fix removes the visibility of OIDC client_secret values. The good news? There's no evidence that this vulnerability was ever exploited in the wild.
"Protecting our customers is our top priority, and we appreciate the responsible disclosure by Clutch Security," said Stuart Sharp, VP of Product at One Identity for OneLogin. "The reported vulnerability was resolved within a reasonable timeframe with the OneLogin 2025.3.0 release. To our knowledge, no customers were impacted by this vulnerability."
Clutch Security emphasizes the importance of identity providers, stating, "Identity providers serve as the backbone of enterprise security architecture. Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential."
