CVE-2026-20746
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
Risk Assessment
The organization may experience performance issues or system crashes due to memory exhaustion, potentially leading to service outages.
Recommendation
It is recommended to monitor and restrict access to features that may lead to memory exhaustion and to update to the latest software version to minimize risk.
Original NVD description (English source)
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

