Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega has released patch updates and hotfixes addressing a critical-severity security vulnerability relating to improper authorization execution risk.
No client compromises have been reported to date; however, remediation must be implemented promptly to maintain security once the hotfix becomes available, following the schedule outlined below.
Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on March 2, 2026. We request that clients not discuss this in public forums until after it’s been publicly posted.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
M25 |
Improper Authorization Execution Risk |
24.1.4 Patch Release (Targeted for Dec ‘25) 24.2.4 Patch Release (Targeted for Feb ‘26) 25.1.2 Patch Release (Targeted for Jan ‘26)
|
8.1.9 - HFIX-C4313 8.2.8 - HFIX-C4312 8.3.6 - HFIX-C4311 8.4.6 - HFIX-C4300 8.5.6 - HFIX-C4299 8.6.6 - HFIX-C4298 8.7.6 - HFIX-C4297 8.8.5 - HFIX-C4296 23.1.5 - HFIX-C4295 24.1.3 - HFIX-C4294 24.2.2 - HFIX-C4721
|
Dates for all upcoming Infinity patch releases can be found here: Pega Infinity Patch Calendar.
Impact
While the product requires authentication, the vulnerability allows some functions to be accessed or executed without authentication and proper authorization.
Issue Details
|
Issue Details |
Issue: Improper Access Control |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 6.x to 25.1.1 |
|
CVSS Rating (CVSS 4.0) |
Critical – 9.3 |
|
Description |
Improper Authorization Execution Risk |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is needed after hotfix installation. We will not provide hotfixes on prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
For questions, submit a Support ticket through My Support Portal.