Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega has released patch updates and hotfixes addressing a high-severity security vulnerability relating to Cross Site Request Forgery (CSRF) in Pega Platform.
No client compromises have been reported to date; however, immediate remediation is required to ensure continued security.
Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on February 16, 2026. We request that clients not discuss this in public forums until after it’s been publicly posted.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
K25 |
Cross Site Request Forgery (CSRF)
|
24.1.4 Patch Release (Targeted for Dec ‘25) 24.2.4 Patch Release (Targeted for Feb ‘26) 25.1.2 Patch Release (Targeted for Jan ‘26) |
23.1.5 - HFIX-C4049 24.1.3 - HFIX-C4048 24.2.2 - HFIX-C4016 ** |
**Due to the timing of the Pega Customer Service 24.2.3 patch combined with Pega's responsible disclosure policy, we have made a policy exception and issued an additional hotfix for 24.2.2 for the benefit of clients using Pega Customer Service.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
As always, we recommend our clients review our Security Checklist regularly.
Impact
CSRF is an attack that tricks the victim into submitting a malicious request. Pega Platform provides CSRF protection when activated through the dedicated CSRF landing page.
By changing the website address (URL), it’s possible to bypass the CSRF security feature (if turned on) that controls update actions for DX API’s in Hybrid applications.
Issue Details
|
Issue Details |
Issue: Improper Access Control |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.7 to 25.1.1 |
|
CVSS Rating |
High– 7.6 |
|
Description |
Cross Site Request Forgery (CSRF) |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. We will not provide hotfixes on prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.