CVE-2026-20746
Awaiting Analysis
Awaiting Analysis - Queue
Virtual Attribute Handling Memory Exhaustion in PingDirectory
Vulnerability report for CVE-2026-20746, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-12
Last updated on: 2026-06-12
Assigner: Ping Identity Corporation
Description
Description
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ping_identity | pingdirectory | 11.0.0.2 |
| ping_identity | pingdirectory_proxy | 11.0.0.2 |
| ping_identity | pingdatasync | 11.0.0.2 |
| ping_identity | pingdataserver_sdk | 11.0.0.2 |
| ping_identity | pingdirectory_delegated_user_admin | 5.1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |