Skip to main content

Pingdirectory

1 CVEs product

Monthly

CVE-2026-20746 MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy