Skip to main content

Pega Platform EUVDEUVD-2025-210309

| CVE-2025-62180 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-23 Pega GHSA-qxvh-qppg-j3pv
7.1
CVSS 4.0 · Vendor: Pega
Share

Severity by source

Vendor (Pega) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable web app, low-privilege authenticated user crafts URLs (PR:L, AC:L, UI:N); high confidentiality from cross-record data exposure, no integrity, minor availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Pega).

CVSS VectorVendor: Pega

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 16:00 vuln.today

DescriptionCVE.org

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.

AnalysisAI

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Technical ContextAI

Pega Platform (also marketed as Pega Infinity) is a low-code business process management and CRM application platform widely used for case management, customer service, and workflow automation in large enterprises. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), in which the application uses identifiers supplied in URLs to look up records but fails to validate that the requesting user is actually authorized to access the referenced object. By tampering with these URL parameters (an Insecure Direct Object Reference pattern), an authenticated user can pivot from their own data to data belonging to other users, tenants, or case instances.

RemediationAI

Patch available per vendor advisory: apply the fixes described in the Pega Security Advisories at https://support.pega.com/support-doc/pega-security-advisory-i25-vulnerability-remediation-note and https://support.pega.com/support-doc/pega-security-advisory-h26-vulnerability-remediation-note, which Pega publishes as version-specific remediation notes for the affected 8.3.0 through Infinity 25.1.2 range; exact fixed build numbers are not independently confirmed in the supplied data and must be read from those advisories. Until patched, restrict Pega Platform access to trusted users only (VPN/SSO with conditional access), aggressively review role-based access control and access group configurations to minimize the data any single authenticated principal can request, and enable detailed audit logging on case and data-page access so anomalous URL/ID enumeration patterns can be detected - note that tightening RBAC may break legitimate cross-case workflows and should be staged. Avoid exposing Pega directly to the public internet where feasible, since this raises the bar against credential-stuffed attackers leveraging the flaw.

Share

EUVD-2025-210309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy