OneLogin, Many Secrets: Clutch Uncovers Critical API Vulnerability Exposing Client Credentials

Critical vulnerability CVE-2025-59363 in OneLogin's API allowed unauthorized access to OIDC application client secrets, potentially compromising enterprise authentication systems across thousands of organizations.

Executive Summary

Clutch Security has identified a critical security vulnerability in OneLogin's API that exposed sensitive OIDC (OpenID Connect) application client secrets through the standard application listing endpoint. This vulnerability, tracked as CVE-2025-59363 with a CVSS base score of 7.7 (High severity), allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant.

Scale of Potential Impact:

• OneLogin serves over 5,500 enterprise customers globally
• 110,000-275,000 OIDC applications were affected, based on typical enterprise OIDC deployment patterns (estimated 20-50 applications per organization)
• Organizations using OneLogin for OIDC-based integrations with third-party services were particularly at risk, especially those that had shared API credentials with vendors or contractors

The vulnerability enabled attackers to impersonate users and gain unauthorized access to integrated applications by leveraging exposed client secrets. This created a significant supply chain risk amplification scenario where a single set of compromised vendor credentials could expose an organization's entire OIDC application portfolio.

OneLogin has addressed this vulnerability in their 2025.3.0 release following our responsible disclosure. We found no evidence of active exploitation, and OneLogin confirmed that no customers were impacted by this vulnerability during the vulnerable period.

Impact: The Supply Chain Attack Multiplier

The vulnerability allowed any actor with valid OneLogin API credentials to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. This created several critical attack scenarios that could cascade across entire business ecosystems:

• Vendor Risk Amplification: Organizations commonly share OneLogin API keys with third-party vendors for integration purposes. Due to OneLogin's RBAC model, API keys typically have broad access to all endpoints. An actor with these credentials could enumerate and extract client secrets for all OIDC applications, not just those relevant to the vendor's integration.
• Application Impersonation: With exposed client secrets, attackers could impersonate legitimate applications and perform OAuth flows to obtain access tokens, effectively bypassing authentication controls for integrated services.
• Lateral Movement Opportunities: In environments where OIDC applications provide access to sensitive systems—such as cloud infrastructure (AWS, Azure, GCP), databases, financial systems, or business-critical applications—compromised client secrets could enable lateral movement across the entire technology stack.
• Scale of Exposure: Since a single set of API credentials could expose secrets for all OIDC applications in a tenant, the impact scaled directly with the number of integrations an organization maintained. For large enterprises with dozens of OIDC integrations, this represented a massive credential exposure event.
• IP Address Restrictions Ineffective: OneLogin does not support IP address allowlisting or denylisting for API access. Even if organizations had documented their vendors' IP addresses with the intention of restricting API key usage, OneLogin's platform limitations made this protection mechanism unavailable. This meant attackers could exploit the vulnerability from anywhere globally, and vendor-queried data containing the secrets could be accessed by unauthorized parties who gained access to vendor systems.

Who is Affected?

This vulnerability impacted any OneLogin customer that met the following criteria:

• Uses OIDC applications: Organizations with OpenID Connect applications configured in their OneLogin tenant
• Shares API credentials: Companies that have provided OneLogin API keys to third-party vendors, contractors, or internal teams (standard practice for enterprise integrations)
• Relies on OneLogin's RBAC model: Since OneLogin's role-based access control typically grants API keys broad endpoint access, any compromised or misused API key could access the vulnerable endpoint

This combination is extremely common in enterprise environments, where OneLogin serves as a central identity provider for multiple integrations and vendors require API access for legitimate business purposes. Based on industry patterns, this likely affected the vast majority of OneLogin's enterprise customer base.

Technical Details

Vulnerability Overview

The vulnerability existed in OneLogin's /api/2/apps endpoint, which is designed to list applications configured within a tenant. While this endpoint should return only metadata and public identifiers, it inadvertently included sensitive client_secret values in the API response.

Attack Flow

The exploitation process was straightforward:

1. Obtain API Access: Attacker uses valid OneLogin API credentials (client ID and secret) to authenticate
2. Request Access Token: Standard OAuth2 client credentials flow to obtain a bearer token
3. Enumerate Applications: Call the /api/2/apps endpoint to list all applications
4. Extract Secrets: Parse the response to retrieve client secrets for all OIDC applications
5. Abuse Credentials: Use extracted client secrets to impersonate applications and access integrated services

Proof of Concept

Two-step attack process: First, attackers authenticate using compromised OneLogin API credentials to obtain a bearer token. Second, they query the /api/2/apps endpoint to extract plaintext client secrets for all OIDC applications in the tenant.

The response from the second request would include sensitive client_secret values alongside standard application metadata, providing attackers with the credentials needed to impersonate any OIDC application.

API response from OneLogin's application listing endpoint showing the exposed client_secret field. This sensitive credential should never be transmitted in API responses but was returned in plaintext, enabling attackers to perform OAuth flows and impersonate legitimate applications.

Our Discovery Process

During our routine security assessment of identity provider APIs, Clutch researchers identified that OneLogin's application listing endpoint was returning more data than expected. While investigating the API response structure, we noticed that client secrets—which should remain confidential and never be transmitted in API responses—were being included in plaintext.

We immediately recognized the severity of this finding given OneLogin's widespread enterprise adoption and the potential for credential sharing scenarios to amplify the impact. Our team verified the vulnerability across multiple OneLogin tenants and confirmed that the issue was consistent across different application configurations.

Disclosure Timeline

• July 18, 2025: Initial vulnerability report submitted to OneLogin support
• July 22, 2025: OneLogin acknowledges receipt (classified Critical) and begins investigation
• July 30, 2025: OneLogin confirms vulnerability and commits to resolution
• August 27, 2025: Escalation due to extended timeline without technical discussion
• September 2, 2025: OneLogin schedules technical call to discuss findings
• September 9, 2025: Technical call confirms vulnerability resolution in OneLogin 2025.3.0
• September 10, 2025:Clutch validates and confirms vulnerability fix
• September 15, 2025: OneLogin provides CVE reference and official statement
• September 19, 2025: Public disclosure coordinated with OneLogin
• October 1, 2025: Blog post publication

Remediation and Response

Immediate Actions Required

Organizations using OneLogin with OIDC applications should take the following steps:

1. Verify OneLogin Version: Ensure your OneLogin tenant is running version 2025.3.0 or later
2. Revoke Client Secrets: Immediately regenerate client secrets for all OIDC applications as a precautionary measure
3. Monitor for Anomalous Access: Check logs for unusual authentication patterns or unexpected application access
4. IP Address Analysis: Even though OneLogin doesn't support IP restrictions, audit API usage logs to verify that access patterns align with expected vendor locations and identify any anomalous geographic access

OneLogin's Response

OneLogin responded professionally to our disclosure and provided the following official statement:

"Protecting our customers is our top priority, and we appreciate the responsible disclosure by Clutch Security. The reported vulnerability was resolved with the OneLogin 2025.3.0 release. To our knowledge, no customers were impacted by this vulnerability." — Stuart Sharp, VP of Product

Key Takeaways

This vulnerability underscores several critical security considerations for enterprise identity management:

API Security is Foundation Security: Identity providers serve as the backbone of enterprise security architecture. Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential.

Credential Sharing Amplifies Risk: While sharing API credentials with trusted vendors is often necessary for business operations, organizations must understand that this practice can amplify the impact of vulnerabilities. A single compromised or misused credential set can provide access to far more resources than originally intended.

Principle of Least Privilege: OneLogin's broad API permission model meant that credentials intended for specific integrations could access sensitive endpoints across the entire platform. Organizations should advocate for more granular permission models and regularly audit the scope of shared credentials.

Supply Chain Security Vigilance: This vulnerability demonstrates how identity provider compromises can cascade across vendor relationships, creating supply chain attack opportunities. Organizations must consider not just direct vendor access, but the downstream implications of shared credentials.

Regular Security Assessments: This vulnerability remained undetected in a widely-used enterprise platform, highlighting the importance of ongoing security research and assessment of critical infrastructure components.

Customer Notification and Response

Upon confirming the vulnerability had been resolved by OneLogin, Clutch immediately notified our customers using OneLogin in their environments. We provided them with:

• Details about the vulnerability and its resolution status
• Confirmation that OneLogin had implemented a fix in version 2025.3.0
• Specific remediation steps including client secret rotation recommendations
• Timeline for our public disclosure to ensure transparency

This proactive notification allowed our customers to take immediate action to verify their OneLogin deployments and implement additional security measures as needed, demonstrating the value of continuous security monitoring and research in protecting enterprise identity infrastructure.

Responsible Disclosure

We appreciate OneLogin's professional handling of this vulnerability report and their commitment to customer security. The company responded appropriately to our disclosure, investigated thoroughly, and implemented a fix in a reasonable timeframe while maintaining transparent communication throughout the process.

Organizations relying on OneLogin can be confident that the vulnerability has been resolved, though we strongly recommend following the remediation steps outlined above as a security best practice.