Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates and hotfixes addressing one high-severity security vulnerability in Pega Platform. We would like to thank Mohammed F. Alaskar from Saudi Awwal Bank Cybersecurity Team for finding this vulnerability.
No compromises have been reported to date; however, remediation is required to ensure continued security.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
H26 |
Improper Access Control |
24.2.5 Patch Release (Targeted for June ‘26) 25.1.3 Patch Release (Targeted for May 20 ‘26)
|
23.1.5 - HFIX-C4673 24.1.4 - HFIX-D555 24.2.3 - HFIX-D589 25.1.2 - HFIX-D554 |
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
Information regarding the availability of the patch releases and hotfixes will be publicly posted on Pega Support Center on June 22, 2026. We request that clients not discuss this in public forums until after these issues have been publicly posted to enable all customers to have adequate time to apply the necessary patches and/or hotfixes.
Impact
The product requires authentication but provides some functions that could be accessed or executed without proper authorization.
Issue Details
|
Issue Details |
Improper Access Control |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.3.0 to 25.1.2 |
|
CVE |
CVE-2025-62180 |
|
CVSS Rating |
High– 8.6 |
|
Description |
Improper Access Control |
This issue is related to the I25 Security Advisory: Pega Security Advisory I25 Vulnerability Remediation Note
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is needed after hotfix installation. We will not provide hotfixes on prior versions of Pega Platform.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
If you have questions or concerns, please raise a Support Ticket in My Support Portal.