CVE-2025-59363

Name of the Vulnerable Software and Affected Versions One Identity OneLogin versions prior to 2025.3.0

Description A security issue exists in One Identity OneLogin that allows attackers to potentially steal sensitive OpenID Connect (OIDC) application client secrets. This is possible through a request to the GET Apps API v2 endpoint, which incorrectly returns the OIDC client secret, even though it should only be returned during initial app creation. Successful exploitation could allow attackers to impersonate applications and gain unauthorized access to connected services. The issue is due to excessive data being returned by the application listing endpoint.

Recommendations Versions prior to 2025.3.0 should be updated to version 2025.3.0 or later. Consider rotating OIDC client secrets. Review logs for any suspicious activity. Restrict access to the GET Apps API v2 endpoint.