CVE-2025-34063

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5

Description: A cryptographic authentication bypass issue exists due to the exposure of a tenant’s SSO JWT signing key via the "/api/adc/v4/configuration" endpoint. An attacker with the signing key can craft valid JWT tokens to impersonate arbitrary users within a OneLogin tenant, allowing full unauthorized access across the victim’s SaaS environment.

Recommendations: For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/adc/v4/configuration" endpoint to minimize the risk of exploitation.