CVE-2021-27651

CRITICAL NUCLEI

Pega Infinity <8.5.2 - Auth Bypass

Title source: llm

Description

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

Exploits (3)

nomisec WRITEUP 60 stars

by samwcyo · poc

https://github.com/samwcyo/CVE-2021-27651-PoC

View Code ZIP pw:eip

nomisec WRITEUP 2 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/CVE-2021-27651

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by orangmuda · poc

https://github.com/orangmuda/CVE-2021-27651

View Code ZIP pw:eip

Nuclei Templates (1)

Pega Infinity - Authentication Bypass

CRITICALby idealphase,daffainfo

References (1)

[Release Notes, Vendor Advisory] https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix

Scores

CVSS v3 9.8

EPSS 0.9218

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

pega/infinity 8.2.1 - 8.5.2

Published Apr 29, 2021

Tracked Since Feb 18, 2026