Notifications

Clear all

OneLogin client secrets exposure: what IAM teams need to know

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 2827

Topic starter 07/06/2026 9:20 pm

TL;DR: A critical OneLogin API flaw exposed OIDC application client secrets to any actor with valid API credentials, affecting an estimated 110,000 to 275,000 applications across more than 5,500 enterprise customers, according to Clutch Security.

NHIMG editorial — based on content published by Clutch Security: OneLogin, Many Secrets: Clutch Uncovers Critical API Vulnerability Exposing Client Credentials

By the numbers:

OneLogin serves over 5,500 enterprise customers globally.
The CVSS base score for CVE-2025-59363 was 7.7.

Questions worth separating out

Q: What breaks when an identity provider API exposes client secrets?

A: A read-only endpoint becomes a credential harvesting path.

Q: Why do shared API credentials increase the impact of OIDC secret exposure?

A: Shared credentials often carry broader endpoint access than the integration actually needs.

Q: How do security teams know if identity provider API access is too broad?

A: Check whether a vendor key can enumerate applications, read sensitive application fields, or reach endpoints unrelated to its stated integration purpose.

Practitioner guidance

Inventory every OneLogin API credential Identify which vendors, contractors, and internal teams hold identity provider API keys, then map each key to the exact endpoints it can reach.
Rotate all OIDC client secrets tied to exposed tenants Regenerate client secrets for every OIDC application in the affected tenant and prioritise services that authenticate to cloud platforms, databases, or critical business applications.
Audit identity provider API responses for secret leakage Test listing, discovery, and management endpoints to confirm they return metadata only and never include client_secret values, tokens, or other credentials.

What's in the full article

Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:

The exact attack flow used to retrieve client secrets from the application listing endpoint.
Clutch's disclosure timeline and remediation sequence with OneLogin.
The specific version guidance for affected tenants and the response steps they recommended.
Their proof-of-concept request and response structure showing how the secret appeared in plaintext.

👉 Read Clutch Security's analysis of the OneLogin API client secret exposure →

OneLogin client secrets exposure: what IAM teams need to know?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

4,037 Topics

5,180 Posts

7 Online

109 Members

Latest Post: Identity consolidation at acquisition speed: what IAM teams should note Our newest member: Mr NHI Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies