CVE-2025-26862

NONE

PingFederate 11.3.0-11.3.13, 12.0.0-12.0.9, 12.1.0-12.1.8, 12.2.0-12.2.5, 12.3.0-12.3.2 Brute Force Login

Title source: llm

Description

Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.

References (2)

Core 2

Core References

Various Sources

https://support.pingidentity.com/s/article/PingFederate-unexpected-template-rendering-in-redirectless-mode

Various Sources

https://www.pingidentity.com/en/resources/downloads/pingfederate.html

Scores

CVSS v4 0.0

EPSS 0.0031

EPSS Percentile 22.7%

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/RE:L/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (5)

Ping Identity/PingFederate 11.3.0 - 11.3.14

Ping Identity/PingFederate 12.0.0 - 12.0.10

Ping Identity/PingFederate 12.1.0 - 12.1.9

Ping Identity/PingFederate 12.2.0 - 12.2.6

Ping Identity/PingFederate 12.3.0 - 12.3.3

Published Oct 27, 2025

Tracked Since Feb 18, 2026