CVE-2026-0898
Arbitrary File-Write in Pega Browser Extension Affects Developers
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Pegasystems Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pega | pga_browser_extension | From 22.1 (inc) to R25 (inc) |
| pega | robot_studio | From 22.1 (inc) to R25 (inc) |
| pega | pga_browser_extension | 22.1 |
| pega | pga_browser_extension | r25 |
| pega | pga_browser_extension | 3.1.43 |
| pega | robot_studio | 22.1 |
| pega | robot_studio | r25 |
| pega | robot_studio | 25.1.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-0898 is an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) used by Pega Robot Studio developers automating Google Chrome and Microsoft Edge browsers, specifically in versions 22.1 and R25.'}, {'type': 'paragraph', 'content': "The vulnerability occurs when a developer using Robot Studio's interrogation mode visits a malicious website crafted by an attacker. This malicious website can exploit the Pega Browser Extension to execute harmful code, potentially allowing arbitrary file writes."}, {'type': 'paragraph', 'content': 'It does not affect Robot Runtime users, only developers using Robot Studio with the affected PBE versions.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to execute arbitrary code by tricking a Pega Robot Studio developer into visiting a malicious website during interrogation mode.'}, {'type': 'paragraph', 'content': "The attacker could potentially write arbitrary files on the developer's system, which may lead to system compromise, data corruption, or unauthorized access."}, {'type': 'paragraph', 'content': 'Because the vulnerability has a high CVSS score of 9.0, it represents a critical security risk that could severely impact the security and integrity of the development environment.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-0898 vulnerability, it is strongly recommended to update the Pega Browser Extension (PBE) to version 3.1.43 or later.
Additionally, updating Pega Robot Studio to version 25.1.12 is advised, although the updated PBE can be used with any Robot Studio version 22.1 or R25 without requiring a full Robot Studio upgrade.
The latest updates for the Pega Browser Extension and Robot Studio can be downloaded from the Pega My Software portal.
For assistance with migration or further support, users should contact Pega Support or raise a ticket via the My Support Portal.