<ciso brief/>
Tag Banner

All news with #onelogin tag

all tags →

Wed, October 1, 2025

OneLogin API Bug Exposed OIDC Client Secrets in 2025

#Security Advisory #Patch #API Security #Secrets Exposure #OneLogin #IAM #Disclosure

🔒Clutch Security disclosed a high-severity flaw in the One Identity OneLogin IAM platform that could leak OpenID Connect (OIDC) application client_secret values when queried with valid API credentials. The issue, tracked as CVE-2025-59363 with a CVSS score of 7.7, stemmed from the /api/2/apps endpoint returning secrets alongside app metadata. OneLogin remedied the behavior in OneLogin 2025.3.0 after responsible disclosure; administrators should apply the update, rotate exposed API and OIDC credentials, tighten RBAC scopes, and enable network-level protections such as IP allowlisting where available.

read more →