CVE-2025-34063 CRITICAL

CVE-2025-34063: OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key

Vendor One Identity
Product OneLogin Active Directory Connector (ADC)
Weakness CWE-290
Published July 1, 2025
Last update July 1, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

Key dates

02Disclosure timeline

July 1, 2025 CVE published
July 1, 2025 Record updated