Description
A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.
Published: 2026-04-07
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via native messaging host
Action: Immediate Patch
AI Analysis

Impact

The Pega Browser Extension contains a native messaging host flaw that can be triggered by a malicious website. When a user navigates to the compromised site the extension can display unexpected message boxes, potentially delivering unauthorized commands or data. The weakness is an improper access control issue, specifically CWE‑284, which may allow an attacker to send privileged messages to the extension or exploit its elevated permissions.

Affected Systems

All users who have installed the Pega Browser Extension (PBE) as part of any version of Pega Robotic Automation are vulnerable. The vulnerability exists across every released version of the extension and therefore affects every Pega Robotic Automation deployment that utilizes PBE.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity vulnerability while no EPSS score is currently published. The flaw can be exploited by hosting a malicious page that a user visits; no known public exploits exist, but the impact could range from deceptive message boxes to execution of privileged operations. Since the flaw is present in all versions and is not listed in the CISA KEV catalog, organisations should consider it a potential risk until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update or patch for Pega Browser Extension as recommended by Pega’s security advisory. If a patch is not yet available, disable the Pega Browser Extension or block users from loading the extension. Use browser security controls such as the block list or content‑security‑policy to prevent users from visiting or executing malicious web pages that target the extension. Monitor user activity for unexpected message boxes and educate users about the risks of visiting untrusted websites.

Generated by OpenCVE AI on April 7, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pegasystems
Pegasystems pega Browser Extension (pbe)
Vendors & Products Pegasystems
Pegasystems pega Browser Extension (pbe)

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.
Title A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension.
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Pegasystems Pega Browser Extension (pbe)
cve-icon MITRE

Status: PUBLISHED

Assigner: Pega

Published:

Updated: 2026-04-07T20:06:55.833Z

Reserved: 2026-01-16T20:29:58.229Z

Link: CVE-2026-1079

cve-icon Vulnrichment

Updated: 2026-04-07T20:06:53.274Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:23.370

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-1079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:22Z

Weaknesses