Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable web app, low-privilege authenticated user crafts URLs (PR:L, AC:L, UI:N); high confidentiality from cross-record data exposure, no integrity, minor availability.
Primary rating from Vendor (Pega).
CVSS VectorVendor: Pega
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
AnalysisAI
Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.
Technical ContextAI
Pega Platform (also marketed as Pega Infinity) is a low-code business process management and CRM application platform widely used for case management, customer service, and workflow automation in large enterprises. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), in which the application uses identifiers supplied in URLs to look up records but fails to validate that the requesting user is actually authorized to access the referenced object. By tampering with these URL parameters (an Insecure Direct Object Reference pattern), an authenticated user can pivot from their own data to data belonging to other users, tenants, or case instances.
RemediationAI
Patch available per vendor advisory: apply the fixes described in the Pega Security Advisories at https://support.pega.com/support-doc/pega-security-advisory-i25-vulnerability-remediation-note and https://support.pega.com/support-doc/pega-security-advisory-h26-vulnerability-remediation-note, which Pega publishes as version-specific remediation notes for the affected 8.3.0 through Infinity 25.1.2 range; exact fixed build numbers are not independently confirmed in the supplied data and must be read from those advisories. Until patched, restrict Pega Platform access to trusted users only (VPN/SSO with conditional access), aggressively review role-based access control and access group configurations to minimize the data any single authenticated principal can request, and enable detailed audit logging on case and data-page access so anomalous URL/ID enumeration patterns can be detected - note that tightening RBAC may break legitimate cross-case workflows and should be staged. Avoid exposing Pega directly to the public internet where feasible, since this raises the bar against credential-stuffed attackers leveraging the flaw.
More in Pega Infinity
View allPega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface componen
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interf
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative use
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged a
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged deve
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210309
GHSA-qxvh-qppg-j3pv