Sensitive Data Exposure in One Identity OneLogin Affected by GET Apps API v2
CVE-2025-59363

7.7HIGH

Key Information:

Vendor

One Identity

Status
Onelogin
Vendor
CVE Published:
14 September 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-59363?

A vulnerability exists in One Identity OneLogin prior to version 2025.3.0 where the OIDC client secret is inadvertently exposed through the GET Apps API v2. This secret, which should only be disclosed when an application is originally created, could be accessed through a routine API call, thus risking unauthorized access to sensitive information and compromising application security.

Affected Version(s)

OneLogin 0 < 2025.3.0

News Articles

favicon imageThe Hacker News

OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps

OneLogin flaw CVE-2025-59363 exposed OIDC client secrets; patched in 2025.3.0 with no exploitation reported.

3 weeks ago

References

https://onelogin.service-now.com/support?id=kb_article&sy...

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

JSON
.