CVE-2025-20628 MEDIUM

CVE-2025-20628: Insufficient granularity of access control for Remote Connector Servers in client mode

Vendor Ping Identity
Product PingIDM
Weakness CWE-1220
Published April 7, 2026
Last update April 8, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red

What the vulnerability does

01Description

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated