CVE-2025-34062

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5

Description: An information disclosure issue exists via the "/api/adc/v4/configuration" endpoint. An attacker with access to a valid directory token can retrieve a plaintext response disclosing sensitive credentials, including an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.

Recommendations: For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/adc/v4/configuration" endpoint until a patch is available. Avoid using improperly secured logs and ensure host registry keys are properly secured to prevent directory token disclosure.