PingFederate 12.1.9 (September 2025)
Resolved issues
Admin console IP exposure
Security PF-33113
We’ve fixed a security vulnerability that could have allowed malicious parties to extract PingFederate administrative console IP addresses using HTTP Response headers.
Host header redirect
Security PF-37460
We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.
Refresh token MySQL deadlocks
Fixed PF-35868
We’ve fixed a defect that caused multiple refresh token requests in short succession to result in Java database connectivity (JDBC) data source deadlocks and duplicated data entry into the database.
This change can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.
Unnecessary ID token reissued with secondary client secret
Fixed PF-37450
We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.
Virtual hostname accuracy in email notifications
Fixed PF-37964
We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.
HTML flow login and Authentication API
Fixed PF-38039
We’ve fixed a defect that could potentially allow a user to access an HTML browser login page when the Authentication API redirectless mode is used.
Learn more in PingFederate unexpected template rendering in redirectless mode in the Support Knowledge Base.