Introduction

A critical security vulnerability has been discovered in One Identity’s OneLogin Identity and Access Management (IAM) solution. Tracked as CVE-2025-59363, this flaw could expose sensitive OpenID Connect (OIDC) application client secrets, posing significant risks if exploited.

Key Details Section:

• Who: One Identity, a leader in IAM solutions.
• What: A vulnerability in OneLogin’s API that allows attackers to retrieve sensitive client secrets for OIDC applications.
• When: Reported on July 18, 2025, and patched in version 2025.3.0 released last month.
• Where: This affects organizations using OneLogin’s IAM across various deployments.
• Why: The flaw allows attackers with valid API credentials to enumerate and access client secrets, potentially enabling them to impersonate applications and access integrated services.
• How: By misconfiguring the /api/2/apps endpoint, it returned sensitive data including client secrets, which attackers could exploit with valid credentials.

Why It Matters

This vulnerability highlights critical concerns for enterprise security and compliance:

• Enterprise Security: Identity providers are foundational to security architecture. A breach can cascade through the entire tech stack.
• API Security: The flaw emphasizes the need for rigorous API security, especially in hybrid or multi-cloud environments.
• Operational Impacts: Organizations could face unauthorized access, risking data breaches and service integrity.

Takeaway for IT Teams

IT professionals should review their OneLogin configurations and ensure that they are running the latest patch. Strong API credential management policies and implementing additional access controls are essential to mitigate potential risks. Regular security audits of IAM systems will also be beneficial in identifying similar vulnerabilities in the future.

For more curated news and infrastructure insights, visit TrendInfra.com.