CVE-2026-20746

medium

Description

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

References

https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html

https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes

https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-06-12

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Severity: High

CVSS v4

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H