Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega has provided patch releases addressing a high-severity security vulnerability relating to Privilege Escalation. We are issuing this advisory for clients, to bring awareness of the remediation.
No client compromises have been reported to date; however, remediation must be implemented to maintain security.
Information regarding this advisory will be publicly posted on Pega Support Center on July 3, 2026. We request that clients not discuss this in public forums until after it’s been publicly posted.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
K26 |
Privilege Escalation |
24.1.4 Patch Release (Available) 24.2.4 Patch Release (Available) 25.1.2 Patch Release (Available)
|
Not available
|
Dates for all upcoming Infinity patch releases can be found here: Pega Infinity Patch Calendar
Impact
While the product requires authentication, a Privilege Escalation vulnerability may allow an authenticated low privileged attacker to elevate privileges on the targeted system.
Issue Details
|
Issue Details |
Privilege Escalation |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 6.x to 25.1.1 |
|
CVSS Rating (CVSS 4.0) |
High – 7.6 |
|
Description |
Privilege Escalation |
Due to the complexity of the solution, hotfixes cannot be provided. If you have not done so as part of staying current, please proceed with updating to the latest patch release.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
Background:
As outlined in the following release notes, enhancements were provided in the above patch releases that helps prevent unauthorized privilege escalation or user impersonation utilizing activities.
|
Release |
Release Notes |
Comment |
|---|---|---|
|
25.1.2:
|
Enhancements to prevent unauthorized access from activities:
|
|
|
24.1.4:
|
|
|
|
24.2.4: |
|
|
Solution Implementation Details:
As described in the articles above, the fix provides protection by default. The recommendation for Pega Administrators is to add the secure settings to the prconfig.xml to prevent any developer from disabling the settings. Refer to the following article for updating the prconfig.xml file:
Once upgraded to one of the above patch releases, Pega Platform™ will validate activity Rules when saved to block unauthorized modifications to system pages. Clients who have customized an activity that attempts to modify the protected system pages listed will be blocked.
As outlined in the documentation, if you encounter this, you may temporarily modify the default value “prconfig/security/ProtectedSystemPageList/default” and restart.
As a security best practice, keep the default list of values in all non-development environments to prevent unauthorized access. In a development environment, you can temporarily modify the default value, but be sure to restore the full default value before moving code to a higher environment.
Usage:
To temporarily bypass validation for a system page in a development environment, create a DSS entry for this setting that omits the page name.
For Pega Cloud clients, Pega will be providing further guidance on the Client Advisory, in the near future, on how we will take further steps to lock down this functionality.