Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.
AnalysisAI
An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.
Technical ContextAI
The vulnerability is rooted in improper access control mechanisms (CWE-284) within the Pega Browser Extension, a browser automation tool integrated with Pega Robot Studio. The extension operates with elevated privileges in developer mode (interrogation mode) to facilitate automation testing and code inspection in Chrome and Edge browsers. The root cause appears to be insufficient validation of website content and insufficient restriction of the extension's file-write capabilities when processing untrusted input from web pages. By failing to properly authenticate or validate the source of file-write requests, the extension allows malicious JavaScript embedded in a crafted website to directly write files to the developer's file system, bypassing normal browser sandbox restrictions.
RemediationAI
Pega has issued a security advisory with remediation guidance available at https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note. Developers should immediately upgrade Pega Robot Studio to a patched version released after the advisory date (specific version numbers should be obtained from the Pega advisory). As an interim control, organizations should restrict developer access to untrusted websites during Robot Studio development sessions, disable interrogation mode when not actively in use, and educate developers to avoid clicking links to unfamiliar websites while working in automation development environments. Additionally, implement application whitelisting on developer workstations to restrict file-write operations to expected directories, and monitor file-system changes in sensitive project directories for unauthorized modifications.
Same weakness CWE-284 – Improper Access Control
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14476
GHSA-5c89-ppg6-hr22