CVE-2026-20746
PingDirectory copying of virtual attributes leads to memory exhaustion
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
| CWE | CWE-401 |
| Vendor | ping identity |
| Product | pingdirectory |
| Published | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for ping identity pingdirectory
Be the first to know when new unknown vulnerabilities affecting ping identity pingdirectory are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Ping Identity / PingDirectory
9.3.0.0 ≤ 9.3.0.8 10.2.0.0 ≤ 10.2.0.5 10.3.0.0 ≤ 10.3.0.3 11.0.0.0 < 11.0.0.1
References
docs.pingidentity.com: https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026 pingidentity.com: https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html support.pingidentity.com: https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes