Sensitive Data Exposure in One Identity OneLogin Affected by GET Apps API v2
CVE-2025-59363

7.7HIGH

Key Information:

Vendor: One Identity
Status: Onelogin
Vendor: CVE Published:; 14 September 2025

🔔 Create One Identity Vulnerability Alert

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-59363?

A vulnerability exists in One Identity OneLogin prior to version 2025.3.0 where the OIDC client secret is inadvertently exposed through the GET Apps API v2. This secret, which should only be disclosed when an application is originally created, could be accessed through a routine API call, thus risking unauthorized access to sensitive information and compromising application security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OneLogin 0 < 2025.3.0

News Articles

The Hacker News

CVE-2025-59363

OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps

OneLogin flaw CVE-2025-59363 exposed OIDC client secrets; patched in 2025.3.0 with no exploitation reported.

References

https://onelogin.service-now.com/support?id=kb_article&sy...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit known to exist
Oct 1, 2025
📰
First article discovered by The Hacker News
Oct 1, 2025
Vulnerability published
Sep 14, 2025
Vulnerability Reserved
Sep 14, 2025

JSON

One Identity