In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),
https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.html