CVE-2025-62180 Overview
CVE-2025-62180 is an authorization weakness affecting Pega Platform versions 8.3.0 through Infinity 25.1.2. The flaw allows authenticated users to access additional data outside their permission scope by submitting crafted URLs. The vulnerability is classified as Insecure Direct Object Reference [CWE-639], where the application fails to properly verify that the requesting user is authorized to access the referenced resource. Pega has published two security advisories addressing the issue across affected release trains.
Critical Impact
Authenticated attackers can retrieve sensitive data belonging to other users or tenants by manipulating object identifiers in URLs, leading to confidentiality loss across the Pega Platform.
Affected Products
- Pega Platform 8.3.0 through 8.x releases
- Pega Infinity releases up to 25.1.2
- Pega applications built on the affected Platform versions
Discovery Timeline
- 2026-06-23 - CVE-2025-62180 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-62180
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference (IDOR) condition mapped to [CWE-639], Authorization Bypass Through User-Controlled Key. Pega Platform exposes resource identifiers in URL parameters that the server resolves to backing data objects. The authorization layer does not consistently verify that the authenticated session has permission to access the resolved object. An authenticated user can substitute identifiers belonging to other users, cases, or work objects and retrieve data outside their access scope.
The attack requires valid credentials on the target Pega instance but no elevated privileges. The impact is limited to information disclosure, with no direct write or availability impact reported in the advisories.
Root Cause
The root cause is missing or incomplete server-side authorization checks on requests that reference data objects by user-controlled identifiers. The application trusts client-supplied keys to scope data access rather than enforcing access control against the authenticated session context.
Attack Vector
Exploitation occurs over the network through standard HTTP requests to the Pega Platform. An authenticated attacker enumerates or guesses object identifiers, then issues crafted URLs containing those identifiers. The server returns data associated with the referenced object regardless of whether the requesting account owns or has been granted access to it.
No verified public proof-of-concept exists at the time of writing. Refer to the Pega Security Advisory H26 and Pega Security Advisory I25 for vendor technical details.
Detection Methods for CVE-2025-62180
Indicators of Compromise
- Unusual volumes of requests from a single authenticated session targeting sequential or randomized object identifiers in Pega URLs.
- Access log entries showing one user account retrieving cases, work objects, or data pages associated with different operator IDs.
- Spikes in HTTP 200 responses to URL patterns containing identifier parameters such as pzInsKey, caseID, or pyID from accounts that do not normally interact with those objects.
Detection Strategies
- Review Pega audit logs and PegaRULES database access records for cross-tenant or cross-operator data reads originating from low-privilege accounts.
- Correlate web access logs with application role assignments to flag retrievals of objects outside the requesting user's organizational unit or access group.
- Deploy application-layer monitoring rules that alert when a session iterates through object identifiers at a rate inconsistent with normal user behavior.
Monitoring Recommendations
- Forward Pega Platform access logs, security event logs, and database audit logs to a centralized SIEM for correlation against user role and access group data.
- Establish baselines for per-user case and data object access rates, and alert on deviations that may indicate identifier enumeration.
- Monitor outbound responses for unexpected volumes of sensitive field data returned to standard user roles.
How to Mitigate CVE-2025-62180
Immediate Actions Required
- Apply the remediation guidance in the Pega Security Advisories H26 and I25 to all Pega Platform instances running versions 8.3.0 through Infinity 25.1.2.
- Inventory all internet-exposed Pega Platform deployments and prioritize patching of externally reachable instances.
- Review access groups and operator privileges to ensure least privilege is enforced for all authenticated users.
Patch Information
Pega has released remediation guidance in two advisories: Pega Security Advisory H26 and Pega Security Advisory I25. Customers should follow the version-specific remediation steps provided by Pega Support and validate the fix in non-production environments before rolling out to production.
Workarounds
- Restrict Pega Platform access to trusted networks and authenticated VPN users where business requirements permit.
- Audit and tighten access group definitions, removing unnecessary data access rights from standard operator roles.
- Enable verbose audit logging for case and data object access to support detection until patches are fully deployed.
# Example: enable enhanced audit logging in prconfig.xml
# <env name="security/auditing/enable" value="true" />
# <env name="security/auditing/historydetails" value="true" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

