PingDirectory copying of virtual attributes leads to memory exhaustion
CVE-2026-20746

6.3MEDIUM

Key Information:

Vendor: Ping Identity
Status: Pingdirectory
Vendor: CVE Published:; 12 June 2026

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2026-20746?

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

Affected Version(s)

PingDirectory 9.3.0.0 <= 9.3.0.8

PingDirectory 10.2.0.0 <= 10.2.0.5

PingDirectory 10.3.0.0 <= 10.3.0.3

References

https://docs.pingidentity.com/pingdirectory/11.0/release_...

https://www.pingidentity.com/en/resources/downloads/pingd...

https://support.pingidentity.com/s/article/SECADV052-Deni...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jan 7, 2026

CVE-2026-20746 Data

JSON