CRITICAL🇵🇱 Wersja polska

CVE-2025-34063

CVSS 10.0v4.0pub. 2025-07-01upd. 2026-04-15

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

🤖 AI Analysis
How it works

The /api/adc/v4/configuration endpoint exposes the JWT signing key (SSO signing key) assigned to the tenant without requiring authentication. An attacker who obtains this key can independently generate valid JWT tokens impersonating any user within the given OneLogin tenant. The generated tokens are accepted by the OneLogin SSO portal and all applications integrated with it via SAML or OIDC protocols. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) because the identity verification mechanism based on cryptographic signature is completely bypassed.

Impact

The attacker gains full, unauthorized access to the SSO portal and all SaaS applications federated via SAML or OIDC within the victim's tenant, which is equivalent to compromising the entire organization's identity environment. It is possible to impersonate any user, including administrators.

Mitigation & patch

OneLogin AD Connector must be updated to version 6.1.5 or later. Update details are available in the official vendor notification at: https://support.onelogin.com/product-notification/noti-00001768. After updating, it is recommended to rotate the compromised JWT key and audit access logs to the /api/adc/v4/configuration endpoint to detect any unauthorized reads.

Who is affected

OneLogin AD Connector in versions prior to 6.1.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References