A critical security vulnerability in One Identity OneLoginβs IAM solution could allow attackers to access sensitive OIDC client secrets using valid API credentials. The flaw has been fixed in the recent update, and no active exploitation has been reported. #OneLogin #OIDC #APIvulnerability
Keypoints
- The vulnerability CVE-2025-59363 allows unauthorized retrieval of OIDC client secrets in OneLogin.
- Attackers with valid API credentials can list all applications and extract confidential data.
- The flaw stems from an API endpoint returning more data than intended, including secrets.
- Following responsible disclosure, the issue was resolved in OneLogin version 2025.3.0.
- No evidence suggests the vulnerability was exploited before it was fixed.
Read More: https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.html