CVE-2026-20746

Vulnerability

In PingIdentity PingDirectory, the virtual attribute handling implementation allows authorized users to exhaust the Java memory heap. This issue occurs specifically when recent login history is enabled and virtual attributes that reference ds-privilege-name values are copied. The affected versions are PingDirectory 11.0.0.0 and earlier releases on the 11.0 branch, as the fix was included in version 11.0.0.1 released in March 2026 [1].

Exploitation

An attacker must be an authorized user of the PingDirectory server. No additional network position or authentication bypass is required beyond having valid user credentials. The attacker triggers the vulnerability by performing operations that copy virtual attributes referencing ds-privilege-name values while recent login history is enabled. This sequence causes excessive allocation of Java heap memory [1].

Impact

Successful exploitation leads to memory heap exhaustion on the PingDirectory server, resulting in a denial of service (DoS). The attacker does not gain elevated privilege, data access, or the ability to modify data; the impact is purely on availability (A) of the directory service [1].

Mitigation

Ping Identity released the fix in PingDirectory version 11.0.0.1, published in March 2026. References confirm that version 11.0.0.2 is available for download, which also includes the fix [1][2]. Users should upgrade to version 11.0.0.1 or later. There is no mention of a workaround for unpatched versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].