Primary

Context

One Identity OneLogin OIDC Client Secret Exposure Vulnerability in Apps API v2

Vulnerability

A vulnerability exists in One Identity OneLogin versions prior to 2025.3.0, where the OIDC client secret is unintentionally exposed through the GET Apps API v2. This secret should only be provided when an application is first created.

Impact

Exposing the OIDC client secret can lead to unauthorized access or manipulation of OIDC-related functionalities, potentially allowing for impersonation or other security breaches.

Remediation

Users can update to One Identity OneLogin version 2025.3.0 or later, where this issue has been fixed.

Added: Sep 14, 2025, 5:17 AM

Updated: Sep 14, 2025, 5:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

One Identity OneLogin OIDC Client Secret Exposure Vulnerability in Apps API v2

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating