CVE-2026-0898
Received Received - Intake
Arbitrary File-Write in Pega Browser Extension Affects Developers

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: Pegasystems Inc.

Description
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0898
EUVD
EUVD-2026-14476
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
pega pga_browser_extension From 22.1 (inc) to R25 (inc)
pega robot_studio From 22.1 (inc) to R25 (inc)
pega pga_browser_extension 22.1
pega pga_browser_extension r25
pega pga_browser_extension 3.1.43
pega robot_studio 22.1
pega robot_studio r25
pega robot_studio 25.1.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-0898 is an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) used by Pega Robot Studio developers automating Google Chrome and Microsoft Edge browsers, specifically in versions 22.1 and R25.'}, {'type': 'paragraph', 'content': "The vulnerability occurs when a developer using Robot Studio's interrogation mode visits a malicious website crafted by an attacker. This malicious website can exploit the Pega Browser Extension to execute harmful code, potentially allowing arbitrary file writes."}, {'type': 'paragraph', 'content': 'It does not affect Robot Runtime users, only developers using Robot Studio with the affected PBE versions.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to execute arbitrary code by tricking a Pega Robot Studio developer into visiting a malicious website during interrogation mode.'}, {'type': 'paragraph', 'content': "The attacker could potentially write arbitrary files on the developer's system, which may lead to system compromise, data corruption, or unauthorized access."}, {'type': 'paragraph', 'content': 'Because the vulnerability has a high CVSS score of 9.0, it represents a critical security risk that could severely impact the security and integrity of the development environment.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-0898 vulnerability, it is strongly recommended to update the Pega Browser Extension (PBE) to version 3.1.43 or later.

Additionally, updating Pega Robot Studio to version 25.1.12 is advised, although the updated PBE can be used with any Robot Studio version 22.1 or R25 without requiring a full Robot Studio upgrade.

The latest updates for the Pega Browser Extension and Robot Studio can be downloaded from the Pega My Software portal.

For assistance with migration or further support, users should contact Pega Support or raise a ticket via the My Support Portal.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart