CVE-2026-1079 PUBLISHED

A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension.

Assigner: Pega
Reserved: 16.01.2026 Published: 07.04.2026 Updated: 07.04.2026

A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CVSS Score: 6

Product Status

Vendor Pegasystems
Product Pega Browser Extension (PBE)
Versions Default: unaffected
  • affected from 0 to 3.1.45 (excl.)

Credits

  • Ramon Dunker from Achmea, Security Assessment Team finder

References

Problem Types

  • CWE-284: Improper Access Control CWE

Impacts

  • CAPEC-121: Exploit Process Communication