CVE-2026-20746 PUBLISHED

PingDirectory copying of virtual attributes leads to memory exhaustion

Assigner: Ping Identity
Reserved: 07.01.2026 Published: 12.06.2026 Updated: 12.06.2026

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber
CVSS Score: 6.3

Product Status

Vendor Ping Identity
Product PingDirectory
Versions Default: unaffected
  • affected from 9.3.0.0 to 9.3.0.8 (incl.)
  • unknown from 10.1.0.0 to 10.1.0.5 (incl.)
  • affected from 10.2.0.0 to 10.2.0.5 (incl.)
  • affected from 10.3.0.0 to 10.3.0.3 (incl.)
  • affected from 11.0.0.0 to 11.0.0.1 (excl.)

References

Problem Types

  • CWE-401 Missing release of memory after effective lifetime CWE

Impacts

  • CAPEC-131 Resource Leak Exposure