Description
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Identity Compromise
Action: Immediate Patch
AI Analysis

Impact

PingIDM, formerly ForgeRock Identity Management, contains an access control weakness that allows an attacker to impersonate a Remote Connector Server (RCS) running in client mode. By spoofing the RCS endpoint, the attacker can intercept or modify an identity’s security-relevant properties, such as passwords and account recovery information. This flaw leads to a loss of confidentiality and integrity for credential data and can result in full account compromise.

Affected Systems

The vulnerability affects Ping Identity’s PingIDM product. Specific version details are not provided in the available information.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating moderate severity, and is not listed in the CISA KEV catalog. Exploitation requires that a Remote Connector Server be configured in client mode and that the attacker can reach the /openicf endpoint. The risk to an organization is elevated if such a client‑mode server is in use, since a spoofed RCS can alter passwords and recovery data without the administrator’s knowledge.

Generated by OpenCVE AI on April 7, 2026 at 23:12 UTC.

Remediation

Vendor Solution

Both of the following steps are required to mitigate the issue: * Upgrade to one of the fixed versions listed previously. * Secure the /openicf endpoint using the new access and authentication configuration options (refer to  migration dependent features  https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).

Vendor Workaround

Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint.

OpenCVE Recommended Actions

  • Upgrade PingIDM to one of the fixed versions released by the vendor
  • Secure the /openicf endpoint by applying the new access and authentication configuration options provided in the migration documentation
  • If immediate upgrade is not possible, configure a reverse proxy (e.g., PingGateway) to enforce IP and certificate‑based rules for the /openicf endpoint
  • Reconfigure all Remote Connector Server instances to run in server mode to eliminate the client‑mode vulnerability
  • Verify that the latest vendor updates have been applied and monitor for future advisories

Generated by OpenCVE AI on April 7, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Pingidentity
Pingidentity pingidm
Vendors & Products Pingidentity
Pingidentity pingidm

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
Title Insufficient granularity of access control for Remote Connector Servers in client mode
Weaknesses CWE-1220
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red'}

Subscriptions

Pingidentity Pingidm
cve-icon MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published:

Updated: 2026-04-08T15:16:29.865Z

Reserved: 2025-01-13T16:41:43.939Z

Link: CVE-2025-20628

cve-icon Vulnrichment

Updated: 2026-04-08T15:16:26.667Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T23:16:27.040

Modified: 2026-04-08T21:26:35.910

Link: CVE-2025-20628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:22:56Z

Weaknesses