A newly disclosed security vulnerability in OneLogin’s platform could have exposed sensitive authentication credentials for hundreds of thousands of enterprise applications. The flaw, identified and responsibly reported by cybersecurity firm Clutch Security, allowed attackers with standard API access to extract confidential OpenID Connect (OIDC) client secrets — a critical piece in application-level authentication.
The vulnerability has been assigned CVE-2025-59363 and has been patched as of OneLogin version 2025.3.0.
What Was the Risk?
The issue stemmed from a misconfigured API endpoint (/api/2/apps) that inadvertently returned sensitive client secrets in its responses. These secrets are intended to stay private between the application and identity provider, exposing them effectively opened the door to application impersonation, unauthorized access to third-party services, and broader lateral movement across enterprise environments.
The flaw did not require elevated privileges. Any valid API key, even one issued to third-party vendors or contractors, could be used to request and retrieve secrets for every OIDC app in a company’s OneLogin tenant.
The exact number of impacted organizations is not publicly confirmed, but the exposure potential was significant. Companies using OneLogin’s OIDC integration, especially those sharing API credentials with external vendors or contractors, may have exposed all connected applications within their tenant. The scale of risk increased with the number of integrations an organization maintained, potentially affecting a large portion of OneLogin’s enterprise customer base.
Clutch’s Disclosure and OneLogin’s Response
Clutch Security discovered the vulnerability during routine API testing and reported it to OneLogin in July. After an investigation, OneLogin confirmed the issue and released a fix this month. According to the company, there is no evidence the vulnerability was exploited during the affected period.
Recommended Actions for Customers
Organizations using OneLogin should take recommended steps, including updating to at least version 2025.3.0 (or later) and rotating all OIDC client secrets to invalidate any that may have been exposed. Review access scopes granted to API keys and vendors to enforce the principle of least privilege, and audit API usage logs for unusual access patterns, especially from shared credentials.
For detailed technical information and remediation guidance, visit Clutch Security’s official report here.
Leave a Reply