PatchSiren cyber security CVE debrief
CVE-2026-20746 Ping Identity CVE debrief
CVE-2026-20746 is a MEDIUM severity vulnerability in Ping Identity PingDirectory. The vulnerability allows authorized users to exhaust the Java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values. The vulnerability was published on 2026-06-12T04:17:04.510Z and last modified on 2026-06-12T16:06:17.027Z.
- Vendor
- Ping Identity
- Product
- PingDirectory
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of Ping Identity PingDirectory should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by improper handling of virtual attributes in Ping Identity PingDirectory. An authorized user can exploit this vulnerability to cause a denial of service by copying virtual attributes that reference ds-privilege-name values when recent login history is enabled.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patches or updates provided by Ping Identity to fix the vulnerability.
- Restrict access to authorized users to prevent exploitation.
- Monitor the system for suspicious activity.
Evidence notes
The vulnerability was reported by Ping Identity and has been documented in their release notes and support articles. [ref-4](https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026), [ref-5](https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes), [ref-6](https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html)
Official resources
CVE-2026-20746 was published on 2026-06-12T04:17:04.510Z and last modified on 2026-06-12T16:06:17.027Z.