Description
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://support.onelogin.com/product-notification/noti-00001768
Various Sources technical-description
https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise
Scores
CVSS v4
10.0
EPSS
0.0053
EPSS Percentile
40.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-290
Status
published
Products (1)
One Identity/OneLogin Active Directory Connector (ADC)
< 6.1.5
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026