CVE-2021-27651

Name: CVE-2021-27651
Creator: NVD / NIST
Published: 2021-04-29T15:15:10.917+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 53.84%

Last modified Jun 17, 2026

CVE-2021-27651 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.. EPSS estimates a 53.84% chance of exploitation in the next 30 days.

Description

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

53.84%

98.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Pega	Infinity	>= 8.2.1, <= 8.5.2

References

https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrixRelease Notes, Vendor Advisory
https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrixRelease Notes, Vendor Advisory

Timeline

Published: Apr 29, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-27651?

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

How severe is CVE-2021-27651?

CVE-2021-27651 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 53.84% probability of exploitation in the next 30 days.

How do I fix CVE-2021-27651?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-27651?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST