PingFederate Server

PingFederate 12.0.9 (July 2025)

Resolved issues

Admin console IP exposure

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Refresh token MySQL deadlocks

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in Java database connectivity (JDBC) data source deadlocks and duplicated data entry into the database.

This fix can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.

Unnecessary ID token reissued with secondary client secret

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.