Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates and hotfixes addressing one high-severity security vulnerabilities in Pega Platform. This remediation guidance has been updated twice, with additional hotfixes provided in each update (see Update History below).
The original hotfixes, issued on 3rd March, are no longer available. Please request the associated hotfix from the 'Latest Hotfix Remediation' column.
No compromises have been reported to date; however, remediation is required to ensure continued security.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation (These Hotfixes are no longer available) |
***Latest Hotfix Remediation (Password Reset feature) |
|---|---|---|---|---|
|
F26 |
Improper Access Control |
24.2.4 Patch Release (Targeted for Mar 11 ‘26) 25.1.2 Patch Release
|
23.1.5 - HFIX-D114 superseded by HFIX-D673** 24.1.4 - HFIX-D115 24.2.2 - HFIX-C4394* 24.2.3 - HFIX-D116 25.1.1 - HFIX-D117 |
23.1.5 -HFIX-D775 (note: When requesting HFIX-D775, include HFIX-D673 as well) 24.1.4 -HFIX-D814 24.2.2 -HFIX-D815 24.2.3 -HFIX-D828 24.2.4 -HFIX-D841 25.1.1 -HFIX-D816 25.1.2 -HFIX-D790 |
* - Provided as a courtesy for the client who found the issue.
Update History
Update 1 (23 March 2026): Published an updated hotfix for 23.1.5 (HFIX-D673) to address a reported regression after the original fix. ** See Updated Hotfix for 23.1.5 for details.
Update 2 (13 Apr 2026): Published additional hotfixes to address a regression affecting the Password Reset (“Trouble Logging In?”) feature. These are provided in the Latest Hotfix Remediation column and include the original F26 hotfixes as a dependency. *** See Updates Hotfixes to address Password Rest Feature for details
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar .
Information regarding the availability of the patch releases will be publicly posted on Pega Support Center on April 22, 2026. We request that clients not discuss this in public forums until after this issue has been publicly posted to enable all customers to have adequate time to apply the necessary patches and/or hotfixes.
Impact
The product requires authentication; however, a possible race condition in the product could allow some functions to be accessed or executed without proper authorization.
Issue Details
|
Issue Details |
Improper Access Control |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.2.0 to 25.1.1 |
|
CVE |
No CVE |
|
CVSS Rating |
High– 8.6 |
|
Description |
Improper Access Control |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is needed after hotfix installation.
We will not provide hotfixes on prior versions of Pega Platform.
-
Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
-
United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
-
On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
** Updated Hotfix for 23.1.5 (Update 1 - 23 March 2026)
We received multiple reports from clients of a possible regression on version 23.1.5 only when using Anonymous Authentication after HFIX-D114 was applied.
You may receive an error message that indicates the issue:
java.lang.NullPointerException: Cannot invoke "com.pega.pegarules.pub.runtime.PublicAPI.findPage(String)" because "tools" is null
at com.pega.pegarules.integration.engine.internal.auth.anonymous.AnonymousAuthHandler.validateAccessGroup(AnonymousAuthHandler.java:84)
Pega has reviewed the issue and has provided a solution for this with HFIX-D673 (for 23.1.5).
A restart is needed after installing the hotfix.
*** Updated hotfixes to address the Password Reset Feature (Update 2 - 13 April 2026)
We have received multiple reports from clients regarding a regression with the original F26 Security Advisory fixes, when using the 'Trouble Logging In?' link on the login page.
Scenario leading to the issue:
- Select 'Trouble Logging In?' on login page
- Enter a valid username into the username field
- Click Submit
When users attempt to use the Forgot Password option, the system displays an error message stating “Please enter valid username”, even when valid usernames are entered. Additionally, no verification code is sent or received as part of the password reset flow.
Pega has reviewed the issue and has provided a solution with the hotfixes listed in the 'Latest hotfix remediation (Including Password Rest Feature)' column above. These hotfixes include the original F26 hotfixes (listed in the 'Hotfix Remediation' column above) as a dependency. If you installed the original F26 hotfix, you do not need to uninstall. Just install the latest hotfix.
A restart is needed after installing the hotfix.
If you have questions or concerns, please raise a Support Ticket in My Support Portal.