A serious security flaw has been discovered in One Identity’s OneLogin platform. In earlier versions, 2025.3.0, the system accidentally exposed OIDC client secrets through its GET /api/2/apps API endpoint. This means anyone with valid API credentials could potentially access the secrets for all OIDC applications in a company’s account.
Organizations using OneLogin with OIDC applications on versions before 2025.3.0 are affected. Thousands of enterprise tenants and hundreds of thousands of OIDC applications could have been exposed, particularly where API credentials are shared with third-party vendors.
The vulnerable endpoint returned client_secret in routine application listings, instead of only at creation. An attacker with valid API credentials could get a token and then call the /api/2/apps endpoint. They can be used further to impersonate users, issue tokens, and access connected services. The flaw is classified as CWE 669, which means sensitive information was exposed outside its intended limits.
Exploitation could also allow some lateral movement across federated systems. While valid API credentials are necessary, the risk increases due to shared vendor keys and OneLogin’s broad RBAC privileges. The absence of IP restrictions (no IP address allowlisting or denylisting) means attackers could attempt exploitation from any location.
OneLogin addressed the issue in version 2025.3.0, after it was responsibly disclosed on July 18, 2025. Following the update, client_secret values are no longer included in API responses. According to available reports, there is no evidence that the vulnerability was exploited in the wild.
Organizations are advised to upgrade immediately, rotate all OIDC client secrets, revoke and reissue shared API keys, and review logs for unusual activity. Vendors with access should rotate credentials, and RBAC settings should be tightened to reduce risk further.
Takeaway: CVE-2025-59363 highlights that identity providers are prime targets. Exposed secrets can have wide-ranging effects across federated systems. Prompt patching, credential rotation, and stricter API controls are critical to mitigating such vulnerabilities.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
