CVE-2026-20746 | THREATINT

Description

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

PUBLISHED Reserved 2026-01-07 | Published 2026-06-12 | Updated 2026-06-12 | Assigner Ping Identity

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber

Problem types

CWE-401 Missing release of memory after effective lifetime

Product status

Default status

unaffected

9.3.0.0 (custom)

affected

10.1.0.0 (custom)

unknown

10.2.0.0 (custom)

affected

10.3.0.0 (custom)

affected

11.0.0.0 (custom) before 11.0.0.1

affected

References

docs.pingidentity.com/...release_notes/pd_release_notes.html

www.pingidentity.com/...wnloads/pingdirectory-downloads.html

support.pingidentity.com/...e-via-copying-virtual-attributes

cve.org (CVE-2026-20746)

nvd.nist.gov (CVE-2026-20746)

Download JSON