{"api_version":"1","generated_at":"2026-06-12T21:34:08+00:00","cve":"CVE-2026-20746","urls":{"html":"https://cve.report/CVE-2026-20746","api":"https://cve.report/api/cve/CVE-2026-20746.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-20746","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-20746"},"summary":{"title":"PingDirectory copying of virtual attributes leads to memory exhaustion","description":"Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.","state":"PUBLISHED","assigner":"Ping Identity","published_at":"2026-06-12 04:17:04","updated_at":"2026-06-12 16:06:17"},"problem_types":["CWE-401","CWE-401 CWE-401 Missing release of memory after effective lifetime"],"metrics":[{"version":"4.0","source":"responsible-disclosure@pingidentity.com","type":"Secondary","score":"6.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"6.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber","data":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"AMBER","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"MODERATE"}}],"references":[{"url":"https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html","name":"https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html","refsource":"responsible-disclosure@pingidentity.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes","name":"https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes","refsource":"responsible-disclosure@pingidentity.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026","name":"https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026","refsource":"responsible-disclosure@pingidentity.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-20746","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-20746","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Ping Identity","product":"PingDirectory","version":"affected 9.3.0.0 9.3.0.8 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingDirectory","version":"unknown 10.1.0.0 10.1.0.5 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingDirectory","version":"affected 10.2.0.0 10.2.0.5 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingDirectory","version":"affected 10.3.0.0 10.3.0.3 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingDirectory","version":"affected 11.0.0.0 11.0.0.1 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-20746","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-12T13:30:44.116370Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-12T13:30:51.709Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"PingDirectory","vendor":"Ping Identity","versions":[{"lessThanOrEqual":"9.3.0.8","status":"affected","version":"9.3.0.0","versionType":"custom"},{"lessThanOrEqual":"10.1.0.5","status":"unknown","version":"10.1.0.0","versionType":"custom"},{"lessThanOrEqual":"10.2.0.5","status":"affected","version":"10.2.0.0","versionType":"custom"},{"lessThanOrEqual":"10.3.0.3","status":"affected","version":"10.3.0.0","versionType":"custom"},{"lessThan":"11.0.0.1","status":"affected","version":"11.0.0.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values."}],"value":"Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values."}],"impacts":[{"capecId":"CAPEC-131","descriptions":[{"lang":"en","value":"CAPEC-131 Resource Leak Exposure"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"AMBER","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-401","description":"CWE-401 Missing release of memory after effective lifetime","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-12T02:16:59.690Z","orgId":"5998a2e9-ae88-42cd-b6e0-7564fd979f9e","shortName":"Ping Identity"},"references":[{"url":"https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026"},{"url":"https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html"},{"url":"https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes"}],"source":{"advisory":"SECADV052","defect":["DS-51122"],"discovery":"UNKNOWN"},"title":"PingDirectory copying of virtual attributes leads to memory exhaustion","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"5998a2e9-ae88-42cd-b6e0-7564fd979f9e","assignerShortName":"Ping Identity","cveId":"CVE-2026-20746","datePublished":"2026-06-12T02:16:59.690Z","dateReserved":"2026-01-07T15:15:23.456Z","dateUpdated":"2026-06-12T13:30:51.709Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-12 04:17:04","lastModifiedDate":"2026-06-12 16:06:17","problem_types":["CWE-401","CWE-401 CWE-401 Missing release of memory after effective lifetime"],"metrics":{"cvssMetricV40":[{"source":"responsible-disclosure@pingidentity.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"20746","Ordinal":"1","Title":"PingDirectory copying of virtual attributes leads to memory exha","CVE":"CVE-2026-20746","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"20746","Ordinal":"1","NoteData":"Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.","Type":"Description","Title":"PingDirectory copying of virtual attributes leads to memory exha"}]}}}