diff --git a/.bumpy/infisical-oidc-sdk-v5-fix.md b/.bumpy/infisical-oidc-sdk-v5-fix.md
new file mode 100644
index 000000000..0b2619e4c
--- /dev/null
+++ b/.bumpy/infisical-oidc-sdk-v5-fix.md
@@ -0,0 +1,5 @@
+---
+"@varlock/infisical-plugin": patch
+---
+
+fix OIDC auth for @infisical/sdk v5 by exchanging JWT via oidc-auth login endpoint
diff --git a/packages/plugins/infisical/package.json b/packages/plugins/infisical/package.json
index 96b1425dd..c4c1dfc34 100644
--- a/packages/plugins/infisical/package.json
+++ b/packages/plugins/infisical/package.json
@@ -45,7 +45,7 @@
     "varlock": "workspace:^"
   },
   "devDependencies": {
-    "@infisical/sdk": "^5.0.0",
+    "@infisical/sdk": "^5.0.2",
     "@env-spec/utils": "workspace:^",
     "@types/node": "catalog:",
     "tsup": "catalog:",
diff --git a/packages/plugins/infisical/src/plugin.ts b/packages/plugins/infisical/src/plugin.ts
index 96c07e495..999f1a957 100644
--- a/packages/plugins/infisical/src/plugin.ts
+++ b/packages/plugins/infisical/src/plugin.ts
@@ -62,6 +62,35 @@ class InfisicalPluginInstance {
   }
 
   private infisicalClientPromise?: Promise<InfisicalSDK>;
+  private static readonly defaultSiteUrl = 'https://app.infisical.com';
+
+  private async exchangeOidcToken(identityId: string, jwt: string): Promise<string> {
+    const response = await fetch(
+      `${this.siteUrl || InfisicalPluginInstance.defaultSiteUrl}/api/v1/auth/oidc-auth/login`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+          identityId,
+          jwt,
+        }),
+      },
+    );
+
+    if (!response.ok) {
+      const responseText = await response.text().catch(() => '');
+      throw new Error(responseText || `OIDC login failed with status ${response.status}`);
+    }
+
+    const payload = await response.json() as { accessToken?: string };
+    if (!payload.accessToken) {
+      throw new Error('OIDC login response did not include accessToken');
+    }
+
+    return payload.accessToken;
+  }
 
   private async initClient() {
     if (this.infisicalClientPromise) return this.infisicalClientPromise;
@@ -110,10 +139,8 @@ class InfisicalPluginInstance {
             });
           }
 
-          await (client.auth() as any).oidcAuth.login({
-            identityId: this.identityId,
-            jwt,
-          });
+          const accessToken = await this.exchangeOidcToken(this.identityId, jwt);
+          client.auth().accessToken(accessToken);
           debug('Infisical client initialized with OIDC Auth');
         }