CVE-2026-1078 PUBLISHED

An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.

Assigner: Pega
Reserved: 16.01.2026 Published: 07.04.2026 Updated: 07.04.2026

An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
CVSS Score: 7.2

Product Status

Vendor Pegasystems
Product Pega Robot Studio
Versions Default: unaffected
  • Version 22.1 is affected
  • Version R25 is affected

Credits

  • Ramon Dunker from Achmea, Security Assessment Team finder

References

Problem Types

  • CWE-284: Improper Access Control CWE

Impacts

  • CAPEC-121: Exploit Process Communication