CVE-2025-26862

NONE

PingFederate - Auth Bypass

Title source: llm

Description

Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.

References (2)

[Various Sources] https://support.pingidentity.com/s/article/PingFederate-unexpected-template-rendering-in-redirectless-mode

[Various Sources] https://www.pingidentity.com/en/resources/downloads/pingfederate.html

Scores

CVSS v4 0.0

EPSS 0.0005

EPSS Percentile 16.3%

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/RE:L/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (5)

Ping Identity/PingFederate 11.3.0 - 11.3.14

Ping Identity/PingFederate 12.0.0 - 12.0.10

Ping Identity/PingFederate 12.1.0 - 12.1.9

Ping Identity/PingFederate 12.2.0 - 12.2.6

Ping Identity/PingFederate 12.3.0 - 12.3.3

Published Oct 27, 2025

Tracked Since Feb 18, 2026