Skip to main content

PingDirectory CVE-2026-20746

| EUVDEUVD-2026-36374 MEDIUM
Memory Leak (CWE-401)
2026-06-12 Ping Identity GHSA-m4wx-pp34-v6v9
6.3
CVSS 4.0 · Vendor: Ping Identity
Share

Severity by source

Vendor (Ping Identity) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
vuln.today AI
5.8 MEDIUM

AC:H reflects the non-default configuration prerequisite (recent login history enabled); PR:H for authorized-only access; S:C because heap exhaustion cascades to all downstream identity-dependent systems.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Ping Identity).

CVSS VectorVendor: Ping Identity

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
P

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 05:01 EUVD
Analysis Generated
Jun 12, 2026 - 03:44 vuln.today

DescriptionCVE.org

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

AnalysisAI

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing ds-privilege-name values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

PingDirectory is Ping Identity's enterprise LDAP directory service. Virtual attributes in LDAP are not stored in the directory information tree but are computed at query time based on logic or references to other attribute values. The ds-privilege-name attribute is a Ping Identity-specific LDAP operational attribute that governs directory access control privileges. CWE-401 (Missing Release of Memory After Effective Lifetime) identifies the root cause as a memory-leak class defect: when the virtual attribute engine processes copy operations referencing ds-privilege-name under the recent login history code path, allocated Java heap objects are not returned to the garbage collector after their effective use, resulting in progressive heap growth. Sufficiently repeated invocations will drive the JVM to OutOfMemoryError conditions, halting or severely degrading the directory process. The CPE string cpe:2.3:a:ping_identity:pingdirectory:*:*:*:*:*:*:*:* indicates the wildcard version range - all versions prior to the patched 11.0.0.1 release are potentially affected, though the oldest affected version is not confirmed in available intelligence.

RemediationAI

Upgrade to PingDirectory 11.0.0.1 or later, available from the Ping Identity downloads portal at https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html, with release notes at https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html and full advisory details at https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes. If immediate patching cannot be completed, the primary compensating control is to disable the recent login history feature in PingDirectory, which removes the necessary configuration prerequisite for exploitation; note that disabling this feature will eliminate login audit trail data, which may have compliance implications in regulated environments. A secondary control is to audit and restrict directory privilege assignments to reduce the set of users capable of performing virtual attribute copy operations on sensitive operational attributes like ds-privilege-name, enforcing least-privilege access; this does not eliminate the vulnerability but raises the bar for exploitation by narrowing the authorized user pool.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-20746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy