CVE-2026-20746

Published Jun 12, 2026

Last updated 2 days ago

CVSS medium 6.3

Overview

Description
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
Source
responsible-disclosure@pingidentity.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
Severity
MEDIUM

Weaknesses

responsible-disclosure@pingidentity.com
CWE-401

Social media

Hype score
Not currently trending

References

Sources include official advisories and independent security research.