The disclosed vulnerability, CVE-2025-59363, affects the One Identity OneLogin Identity and Access Management (IAM) solution. It is categorized as an incorrect resource transfer between security spheres (CWE-669), where a program crosses security boundaries and gains unauthorized access to confidential data. Specifically, the /api/2/apps endpoint, intended to list applications, was misconfigured to include sensitive OIDC client_secret values in its response. An attacker possessing valid OneLogin API credentials (client ID and secret) could authenticate, request an access token, and call this endpoint to enumerate all OIDC applications and extract their client secrets. These secrets could then be used to impersonate applications, granting unauthorized access to integrated services and enabling lateral movement within the victim’s environment. The broad endpoint access granted by OneLogin’s role-based access control (RBAC) to API keys exacerbates the risk, as compromised credentials could be used to access other sensitive platform endpoints. Additionally, the absence of IP allowlisting means attackers can exploit this vulnerability remotely from any location. The vulnerability was responsibly disclosed on July 18, 2025, and remediated in OneLogin version 2025.3.0 by removing client_secret values from API responses. There is no public evidence of exploitation in the wild. Given that identity providers are critical to enterprise security architectures, this flaw posed significant risk of cascading security failures across technology stacks relying on OneLogin for authentication and authorization.

For European organizations, the impact of this vulnerability could be severe due to the central role of OneLogin in managing identity and access across multiple applications and services. Exposure of OIDC client secrets compromises the confidentiality and integrity of authentication credentials, enabling attackers to impersonate legitimate applications and potentially users. This could lead to unauthorized access to sensitive corporate resources, data breaches, and lateral movement within networks, increasing the risk of further exploitation such as data exfiltration or ransomware deployment. The broad API access granted by OneLogin’s RBAC model means that compromised API credentials could be leveraged to access additional sensitive endpoints, amplifying the attack surface. The lack of IP allowlisting increases the attack vector to any remote attacker with valid API credentials, raising the likelihood of exploitation. European organizations in sectors with high regulatory requirements for data protection (e.g., finance, healthcare, government) could face compliance violations and reputational damage if impacted. The vulnerability’s exploitation could also disrupt business operations by undermining trust in identity services and causing service outages or forced emergency remediation.

European organizations using OneLogin should immediately upgrade to OneLogin version 2025.3.0 or later, which removes OIDC client_secret values from API responses. Beyond patching, organizations must audit and rotate all API credentials to limit exposure from potentially compromised keys. Implement strict role-based access controls to minimize API key privileges, ensuring keys only have access to necessary endpoints. Enable IP allowlisting or network-based restrictions where possible to limit API access to trusted networks. Monitor API usage logs for unusual activity, such as unexpected calls to the /api/2/apps endpoint or mass enumeration attempts. Employ multi-factor authentication (MFA) for API credential management and access to OneLogin administrative functions. Conduct regular security reviews of identity provider configurations and integrate anomaly detection tools to identify suspicious impersonation attempts. Finally, educate security teams on the risks of identity provider vulnerabilities and prepare incident response plans specifically addressing IAM compromise scenarios.