Description
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.
References (3)
Scores
CVSS v4
9.0
EPSS
0.0036
EPSS Percentile
58.4%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-668
Status
published
Products (1)
One Identity/OneLogin Active Directory Connector (ADC)
< 6.1.5
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026