Executive Summary – Action Required
Issue: This issue covers two potential security vulnerabilities; the first is related to the unauthenticated PegaMKTContainer service package, and the second is data validation for the CaptureResponse service. The security vulnerability has a CVSS Rating of 5.3 (Medium).
Remediation: Clients are advised to apply the relevant hotfix as outlined below.
Overview
The Pega Customer Decision Hub ships with an unauthenticated REST service package called PegaMKTContainer. This exposes the Realtime Container and CaptureResponse APIs so that web and mobile applications can request Next-Best-Action decisions and capture responses without going through a middleware layer.
Because these endpoints require no authentication, anyone who knows (or guesses) the URL can call them.
Background
Pega Customer Decision Hub provides two service packages for digital channel integration:
-
PegaMKTContainer (unauthenticated) – the original service, designed to be called directly from browsers and mobile apps.
-
PegaMKTContainerSecured (authenticated, available since v8.8) – a secured version intended for server-to-server calls through a middleware or proxy layer.
The unauthenticated service was built for convenience, but it creates a security risk when exposed on the public internet without a proxy that controls access.
This hotfix adds two new application settings that let you lock down the unauthenticated service and tighten data validation. Both settings default to "checked" (true) so that existing behavior is preserved until you choose to change them.
How to determine if you are affected?
This security vulnerability affects all clients using Pega Customer Decision Hub.
Clients on Pega Customer Decision Hub versions 24.1, 24.2 or 25.1.1 now have the ability to turn the unauthenticated service off.
What should I do? (Follow the path that matches your setup)
Path 1 – You are NOT using inbound real-time decisioning at all
If your Pega Customer Decision Hub deployment does not serve real-time decisions to any web, mobile, or digital channel (i.e., you only use outbound channels like email, SMS, or push), then you do not need the unauthenticated service.
-
Action: Apply the hotfix, then open the myEnableUnauthenticatedServices application setting and uncheck it (set to false). This disables the unauthenticated PegaMKTContainer service package entirely.
Path 2 – You ARE using inbound decisioning, and your channel applications call Pega Customer Decision Hub through a secured middleware / server-to-server layer
Since Pega Customer Decision Hub v8.8, you can use the authenticated PegaMKTContainerSecured service package for server-to-server integration. If your architecture already routes all traffic through a secure backend (e.g., an application server, API gateway, or “Backend For Frontend” layer) that calls the secured service, you do not need the unauthenticated endpoint.
-
Action: Apply the hotfix, then open the myEnableUnauthenticatedServices application setting and uncheck it (set to false). This disables the unauthenticated service while your secured integration continues to work normally.
Path 3 – You ARE routing browser or mobile traffic directly to Pega Customer Decision Hub (no middleware in between)
If your web or mobile application calls the Pega Customer Decision Hub unauthenticated service directly from the client side (browser JavaScript, mobile SDK, etc.) without going through a server-side proxy, then disabling the unauthenticated service would break your integration.
-
Immediate action: Apply the hotfix. Open the myAllowUnknownInteractions application setting and uncheck it (set to false). This adds data validation so that only known, valid interaction outcomes are accepted—blocking fake or expired responses.
-
Plan for re-architecture: You should plan to move to a secured architecture where a backend service calls PegaMKTContainerSecured on behalf of the client. Once that migration is complete, disable the unauthenticated service using the myEnableUnauthenticatedServices setting as described in Path 1 or Path 2.
Application Settings Reference
-
myEnableUnauthenticatedServices — Controls whether the unauthenticated PegaMKTContainer service package is active. Default: checked (true, service enabled). Uncheck (false) to disable the service.
-
myAllowUnknownInteractions — Controls whether the CaptureResponse service accepts outcomes for unknown or expired interactions. Default: checked (true, all outcomes accepted). Uncheck (false) to reject unrecognized interaction outcomes.
Security Vulnerability Public posting
As this is a Security Vulnerability, we are obliged to publicly post Information regarding the availability of the patch releases and hotfixes on Pega Support Center. These will be posted on June 30, 2026. We request that clients not discuss this in public forums until after this issue has been publicly posted to enable all customers to have adequate time to apply the necessary patches and/or hotfixes.
Obtaining your hotfix
Please review the following hotfixes and take appropriate action. Note: A restart is not required after applying the hotfix.
|
HFIX ID |
Pega CDH Version |
|---|---|
|
HFIX-D390 |
24.1 |
|
HFIX-D487 |
24.2 |
|
HFIX-D485 |
25.1.1 |
If you are a Pega Cloud client, your Pega Cloud® environments are being updated with the hotfix by Pega. Cloud Maintenance (CM) cases are being created for each of your environments, which provides the schedule of when the hotfixes will be applied. Once the Hotfixes are applied, please follow the steps to change one or both of the application settings as per the relevant path for your organization.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the hotfix, which will be applied by Pega. Once the Hotfixes are applied, please follow the steps to change one or both of the application settings as per the relevant path for your organization.
If you are an on–premises or client managed cloud client, please submit a hotfix request using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfix. Once the Hotfixes are applied, please follow the steps to change one or both of the application settings as per the relevant path for your organization.
For any questions, contact Global Client Support via My Support Portal.