Skip to main content

Pega Browser Extension Pbe CVE-2026-1079

| EUVDEUVD-2026-19640 MEDIUM
Improper Access Control (CWE-284)
2026-04-07 Pega GHSA-5f74-cm8j-hpf8
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.1.45
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2026-19640
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:17 nvd
MEDIUM 6.0

DescriptionCVE.org

A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.

AnalysisAI

Remote code execution via malicious websites targeting Pega Browser Extension (PBE) allows unauthenticated attackers to trigger unexpected message boxes and cause availability impact on affected systems. All versions of Pega Browser Extension prior to 3.1.45 are vulnerable; the attack requires user interaction (navigation to a malicious website) but no special privileges. CVSS 6.0 score reflects the moderate severity with high availability impact potential. No active exploitation or public exploit code has been identified at the time of analysis.

Technical ContextAI

The vulnerability resides in the native messaging host mechanism of Pega Browser Extension, a browser-based automation tool used within Pega Robotic Automation environments. Native messaging hosts enable bidirectional communication between web content and native applications; improper input validation or access control (CWE-284: Improper Access Control) in this messaging interface allows a remote attacker to craft malicious JavaScript on a website that communicates with the PBE native host. The affected product is identified by CPE cpe:2.3:a:pegasystems:pega_browser_extension_(pbe):*:*:*:*:*:*:*:*, with all versions prior to 3.1.45 confirmed vulnerable by ENISA EUVD-2026-19640.

RemediationAI

Upgrade Pega Browser Extension to version 3.1.45 or later to remediate the native messaging host vulnerability. Users should apply this patch immediately to all systems running PBE within Pega Robotic Automation deployments. Consult Pega's security advisory at https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note for detailed upgrade instructions and validation steps. No interim workarounds have been identified; patching is the primary mitigation.

Share

CVE-2026-1079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy