Description
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.
Published: 2026-03-23
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Pega Browser Extension allows a developer to write arbitrary files on the system hosting Pega Robot Studio. The manufacturer notes that malicious code could be delivered via a web page that a developer visits while in interrogation mode. Because an attacker can write files, including potentially executable ones, this defect can lead to execution of arbitrary code or local privilege escalation. The weakness is classified as CWE-284, which indicates an unauthorized modification of system resources.

Affected Systems

Pegasystems’s Pega Robot Studio development environment is impacted. The flaw affects version 22.1 and release 25. The issue does not affect users of Robot Runtime. The vulnerability is only relevant when developers are automating Google Chrome or Microsoft Edge through the Pega Browser Extension.

Risk and Exploitability

The CVSS score of 9 indicates a high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the vulnerability is considered high risk because it requires no advanced skills—only a malicious web site accessed during interrogation mode. The flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation reports, yet the attack vector relies on user interaction. The product’s support document provides a remediation path, which organisations should follow promptly to mitigate this risk.

Generated by OpenCVE AI on March 23, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or update to a fixed version of Pega Robot Studio (post 22.1 or R25) as described in the Pega security advisory.
  • Consult the Pega support document at https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note for detailed remediation guidance.
  • If a patch is not yet available, disable the Pega Browser Extension during automation or restrict its usage to trusted sites only.
  • Educate developers to avoid visiting untrusted or unknown websites while the Robot Studio is in interrogation mode.
  • Monitor system logs and audit Pega Robot Studio activity for unauthorized file-write events.

Generated by OpenCVE AI on March 23, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pegasystems
Pegasystems pega Robot Studio
Vendors & Products Pegasystems
Pegasystems pega Robot Studio

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.
Title An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Pegasystems Pega Robot Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: Pega

Published:

Updated: 2026-03-24T14:37:30.588Z

Reserved: 2026-01-13T17:31:36.351Z

Link: CVE-2026-0898

cve-icon Vulnrichment

Updated: 2026-03-24T14:37:27.253Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T19:16:39.040

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-0898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:07Z

Weaknesses