OneLogin vulnerability allows API key exploits to obtain OIDC secrets and impersonate applications

A high-severity security flaw has been identified in the One Identity OneLogin Identity and Access Management (IAM) solution, which could potentially expose sensitive OpenID Connect (OIDC) application client secrets if exploited. This vulnerability, tracked as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It is classified as a case of incorrect resource transfer between spheres (CWE-669), allowing a program to breach security boundaries and gain unauthorised access to confidential data or functions. According to Clutch Security, the flaw enabled attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organisation’s OneLogin tenant due to the application listing endpoint, /api/2/apps, returning more data than intended, including client_secret values.

The exploitation of this vulnerability involves several steps. An attacker would first use valid OneLogin API credentials (client ID and secret) to authenticate and request an access token. They would then call the /api/2/apps endpoint to list all applications and parse the response to extract client secrets for all OIDC applications. With these extracted client secrets, the attacker could impersonate applications and access integrated services. The successful exploitation of this flaw could allow an attacker to leverage the exposed secrets to impersonate users and gain access to other applications, facilitating lateral movement. OneLogin’s role-based access control (RBAC) grants API keys broad endpoint access, and the absence of IP address allowlisting further exacerbates the risk, enabling exploitation from anywhere globally. Following responsible disclosure on 18 July 2025, OneLogin addressed the vulnerability in version 2025.3.0 by ensuring that OIDC client_secret values are no longer visible. There is currently no evidence that this issue was exploited in the wild. Stuart Sharp, VP of Product at One Identity for OneLogin, emphasised the company’s commitment to customer protection and acknowledged the timely resolution of the reported vulnerability. Clutch Security highlighted the critical role of identity providers in enterprise security architecture, noting that vulnerabilities in these systems can have cascading effects across entire technology stacks.