Description
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://support.onelogin.com/product-notification/noti-00001768
Various Sources technical-description
https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise
Scores
CVSS v4
9.0
EPSS
0.0045
EPSS Percentile
35.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-668
Status
published
Products (1)
One Identity/OneLogin Active Directory Connector (ADC)
< 6.1.5
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026