CVE-2025-26862 NONE

CVE-2025-26862: PingFederate unexpected browser flow initiation in redirectless mode

Vendor Ping Identity
Product PingFederate
Weakness CWE-307 · Brute force
Published October 27, 2025
Last update October 27, 2025

CVSS base score

0.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/RE:L/U:Amber

What the vulnerability does

01Description

Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.

Key dates

02Disclosure timeline

October 27, 2025 CVE published
October 27, 2025 Record updated