Pingidentity Pingfederate
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Pingidentity Pingfederate.
By the Year
In 2026 there have been 0 vulnerabilities in Pingidentity Pingfederate. Last year, in 2025 Pingfederate had 4 security vulnerabilities published. Right now, Pingfederate is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 0.00 |
| 2024 | 5 | 6.47 |
| 2023 | 8 | 7.38 |
| 2022 | 2 | 6.50 |
| 2021 | 2 | 8.65 |
It may take a day or so for new Pingfederate vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pingidentity Pingfederate Security Vulnerabilities
PingFederate Brute-Force Risk via Auth Form in Redirectless Mode
CVE-2025-26862
- October 27, 2025
Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.
Improper Restriction of Excessive Authentication Attempts
PingFederate Admin Console XSS via Unsanitized User Data
CVE-2024-25573
- June 15, 2025
Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.
Thread Exhaustion via Non-200 HTTP in PingFederate Google Adapter
CVE-2025-22854
- June 15, 2025
Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.
PingFederate OAuth2 Grant Duplication Causes Memory Overuse
CVE-2025-21085
- June 15, 2025
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
JSON Injection in PingFederate REST API POST
CVE-2024-21832
- July 09, 2024
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.
PingFederate Deploy Dir Unauthorized Access on Runtime Nodes
CVE-2024-22377
5.3 - Medium
- July 09, 2024
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.
Directory traversal
Admin Console OIDC Policy Editor XSS for admin users
CVE-2024-22477
4.3 - Medium
- July 09, 2024
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.
XSS
PingFederate SSRF allows unauthenticated POST requests
CVE-2023-40148
- April 10, 2024
Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.
Keycloak 11.3 OAuth2 client_secret_jwt Auth Bypass
CVE-2023-40545
9.8 - Critical
- February 06, 2024
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.
Missing Authentication for Critical Function
PingFederate MFA Adapter Device Pairing Bypass (CVE-2023-39231)
CVE-2023-39231
6.5 - Medium
- October 25, 2023
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials.
Missing Authentication for Critical Function
PingFederate MSCHAP RADIUS Auth Bypass via Malcrafted Radius Client
CVE-2023-39930
9.8 - Critical
- October 25, 2023
A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request.
Missing Authentication for Critical Function
AWS DynamoDB Unauthorized Data Leak via Crafted Table Request
CVE-2023-34085
4.3 - Medium
- October 25, 2023
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
PingFederate Identifier First Adapter Auth Bypass
CVE-2023-37283
9.8 - Critical
- October 25, 2023
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
authentification
PingFederate Admin Console ClassLoading Enum DoS
CVE-2023-39219
7.5 - High
- October 25, 2023
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
Resource Exhaustion
PingID Adapter for PingFederate: RSA padding misconfig bypasses offline MFA
CVE-2022-40722
5.8 - Medium
- April 25, 2023
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
Use of a Broken or Risky Cryptographic Algorithm
PingID RADIUS Adapter MFA Bypass in PingFederate
CVE-2022-40723
6.5 - Medium
- April 25, 2023
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
authentification
PingFederate CSRF via crafted GET request
CVE-2022-40724
8.8 - High
- April 25, 2023
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
Session Riding
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user
CVE-2022-23722
6.5 - Medium
- May 02, 2022
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing userâs password.
authentification
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user
CVE-2021-42000
6.5 - Medium
- February 10, 2022
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack
CVE-2021-41770
7.5 - High
- October 07, 2021
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
XXE
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
CVE-2021-40329
9.8 - Critical
- September 27, 2021
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Pingidentity Pingfederate or by Pingidentity? Click the Watch button to subscribe.
