Skip to main content

Pega Robot Studio CVE-2026-0898

| EUVDEUVD-2026-14476 CRITICAL
Improper Access Control (CWE-284)
2026-03-23 Pega GHSA-5c89-ppg6-hr22
9.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 19:00 euvd
EUVD-2026-14476
Analysis Generated
Mar 23, 2026 - 19:00 vuln.today
CVE Published
Mar 23, 2026 - 18:41 nvd
CRITICAL 9.0

DescriptionCVE.org

An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.

AnalysisAI

An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.

Technical ContextAI

The vulnerability is rooted in improper access control mechanisms (CWE-284) within the Pega Browser Extension, a browser automation tool integrated with Pega Robot Studio. The extension operates with elevated privileges in developer mode (interrogation mode) to facilitate automation testing and code inspection in Chrome and Edge browsers. The root cause appears to be insufficient validation of website content and insufficient restriction of the extension's file-write capabilities when processing untrusted input from web pages. By failing to properly authenticate or validate the source of file-write requests, the extension allows malicious JavaScript embedded in a crafted website to directly write files to the developer's file system, bypassing normal browser sandbox restrictions.

RemediationAI

Pega has issued a security advisory with remediation guidance available at https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note. Developers should immediately upgrade Pega Robot Studio to a patched version released after the advisory date (specific version numbers should be obtained from the Pega advisory). As an interim control, organizations should restrict developer access to untrusted websites during Robot Studio development sessions, disable interrogation mode when not actively in use, and educate developers to avoid clicking links to unfamiliar websites while working in automation development environments. Additionally, implement application whitelisting on developer workstations to restrict file-write operations to expected directories, and monitor file-system changes in sensitive project directories for unauthorized modifications.

Share

CVE-2026-0898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy