Description
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
Published: 2026-06-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pega Platform and Pegasystems Pega Infinity versions from 8.3.0 through 25.1.2 contain an authorization weakness that can allow an authenticated user to retrieve additional data by manipulating request URLs. The flaw arises from insufficient authorization checks, enabling disclosure of data to users who lack the necessary permissions and therefore threatens confidentiality. The weakness is reflected in CWE‑639, which describes an authorization bypass through a user‑controlled key.

Affected Systems

The vulnerability affects all releases of Pega Platform beginning with 8.3.0 and all releases of Pega Infinity up to and including 25.1.2. End‑points that support URL‑based data retrieval are the primary vectors and thus any installation in this version range is potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 reflects a high severity due to the potential for data exposure. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that public exploits are not known. The attack requires an authenticated session and crafted URLs, so an attacker must first log in and then target specific resources for exploitation. Because the flaw is not dependent on privileged access or remote code execution, the risk primarily lies in unauthorized data access rather than system compromise.

Generated by OpenCVE AI on June 24, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch or upgrade to a release newer than the affected version range—any Pega Platform release newer than 8.3.0 or any Pega Infinity release newer than 25.1.2 as recommended by Pegasystems.
  • Address the issue by ensuring that all URL‑based data retrieval endpoints enforce proper authorization checks, verifying that the requesting user has the required permissions before serving data.
  • Consult the Pegasystems security advisories linked in the references for detailed guidance on applying the fix and for confirming that the implementation has removed the authorization bypass.

Generated by OpenCVE AI on June 24, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Pegasystems
Pegasystems pega Infinity
Vendors & Products Pegasystems
Pegasystems pega Infinity

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
Title Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pegasystems Pega Infinity
cve-icon MITRE

Status: PUBLISHED

Assigner: Pega

Published:

Updated: 2026-06-23T17:03:35.508Z

Reserved: 2025-10-07T19:04:27.220Z

Link: CVE-2025-62180

cve-icon Vulnrichment

Updated: 2026-06-23T16:31:46.519Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key