OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps

OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps

Briefly

"A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect ( OIDC) application client secrets under certain circumstances. The vulnerability, tracked as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of incorrect resource transfer between spheres ( CWE-669), which causes a program to cross security boundaries and obtain unauthorized access to confidential data or functions."

"CVE-2025-59363 "allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant," Clutch Security said in a report shared with The Hacker News. The identity security said the problem stems from the fact that the application listing endpoint - /api/2/apps - was configured to return more data than expected, including the client_secret values in the API response alongside metadata related to the apps in a OneLogin account."

"Successful exploitation of the flaw could allow an attacker with valid OneLogin API credentials to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. Armed with this access, the threat actor could leverage the exposed secret to impersonate users and gain access to other applications, offering opportunities for lateral movement. OneLogin's role-based access control (RBAC) grants API keys broad endpoint access, meaning the compromised credentials could be used to access sensitive endpoints."