A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.
The /api/adc/v4/configuration endpoint exposes the JWT signing key (SSO signing key) assigned to the tenant without requiring authentication. An attacker who obtains this key can independently generate valid JWT tokens impersonating any user within the given OneLogin tenant. The generated tokens are accepted by the OneLogin SSO portal and all applications integrated with it via SAML or OIDC protocols. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) because the identity verification mechanism based on cryptographic signature is completely bypassed.
The attacker gains full, unauthorized access to the SSO portal and all SaaS applications federated via SAML or OIDC within the victim's tenant, which is equivalent to compromising the entire organization's identity environment. It is possible to impersonate any user, including administrators.
OneLogin AD Connector must be updated to version 6.1.5 or later. Update details are available in the official vendor notification at: https://support.onelogin.com/product-notification/noti-00001768. After updating, it is recommended to rotate the compromised JWT key and audit access logs to the /api/adc/v4/configuration endpoint to detect any unauthorized reads.
OneLogin AD Connector in versions prior to 6.1.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X