PingFederate 12.0.10 (October 2025)

Resolved issues

Host header redirect

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Virtual hostname accuracy in email notifications

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual host name in some email notifications.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

LDAP account lockout

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This fix applies to all LDAP datastore types except for Generic LDAP.

IdP Adapter duplicate attribute sources

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

PingFederate Server