Description
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Virtual attribute handling in Ping Identity PingDirectory allows authorized users to exhaust the Java memory heap when recent login history is enabled and virtual attributes that reference ds-privilege-name values are copied. This results in memory exhaustion, potentially causing the application to become unresponsive and leading to a denial‑of‑service condition.

Affected Systems

Ping Identity – PingDirectory is the affected product. Specific affected versions are not listed in the CVE data; customers should verify if their deployment includes a PingDirectory version prior to the latest security release.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, suggesting limited known exploitation activity. Attackers need authenticated access with rights to copy virtual attributes and recent login history must be enabled. Successful exploitation can consume heap memory until the application crashes or stalls.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available Patch for PingDirectory from the vendor’s downloads.
  • If an immediate upgrade is not possible, disable the recent login history feature or otherwise prevent the copying of virtual attributes that reference ds‑privilege‑name values.
  • Configure and monitor Java heap usage, setting appropriate memory limits and alerts to detect excessive consumption as early as possible.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Pingidentity
Pingidentity pingdirectory
Vendors & Products Pingidentity
Pingidentity pingdirectory

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
Title PingDirectory copying of virtual attributes leads to memory exhaustion
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber'}

Subscriptions

Pingidentity Pingdirectory
cve-icon MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published:

Updated: 2026-06-12T02:16:59.690Z

Reserved: 2026-01-07T15:15:23.456Z

Link: CVE-2026-20746

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:04.510

Modified: 2026-06-12T04:17:04.510

Link: CVE-2026-20746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T05:00:17Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime