{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0898", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2026-01-13T17:31:36.351Z", "datePublished": "2026-03-23T18:41:52.837Z", "dateUpdated": "2026-03-24T14:37:30.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-23T18:41:52.837Z"}, "title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.", "datePublic": "2026-03-23T20:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Ramon Dunker from Achmea, Security Assessment Team", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:37:24.108479Z", "id": "CVE-2026-0898", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:37:30.588Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:37:24.108479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:37:27.253Z"}}], "cna": {"title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ramon Dunker from Achmea, Security Assessment Team"}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-23T20:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.", "supportingMedia": [{"type": "text/html", "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-23T18:41:52.837Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0898", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:37:30.588Z", "dateReserved": "2026-01-13T17:31:36.351Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-03-23T18:41:52.837Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio."}, {"lang": "es", "value": "Una vulnerabilidad de escritura de archivos arbitraria en la extensi\u00f3n de navegador Pega (PBE) afecta a los desarrolladores de Pega Robot Studio que est\u00e1n automatizando Google Chrome y Microsoft Edge utilizando la versi\u00f3n 22.1 o R25. Esta vulnerabilidad no afecta a los usuarios de Robot Runtime. Un actor malicioso podr\u00eda crear un sitio web que incluya c\u00f3digo malicioso. La vulnerabilidad podr\u00eda ser explotada si un desarrollador de Pega Robot Studio es enga\u00f1ado para visitar este sitio web durante el modo de interrogaci\u00f3n en Robot Studio."}], "id": "CVE-2026-0898", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:39.040", "references": [{"source": "security@pega.com", "url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "R25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pega Robot Studio", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_robot_studio", "vendor": "pegasystems"}], "analysis": {"en": {"generated_at": "2026-03-23T20:23:16.787287+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch or update to a fixed version of Pega Robot Studio (post 22.1 or R25) as described in the Pega security advisory.", "Consult the Pega support document at https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note for detailed remediation guidance.", "If a patch is not yet available, disable the Pega Browser Extension during automation or restrict its usage to trusted sites only.", "Educate developers to avoid visiting untrusted or unknown websites while the Robot Studio is in interrogation mode.", "Monitor system logs and audit Pega Robot Studio activity for unauthorized file-write events."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Pegasystems\u2019s Pega Robot Studio development environment is impacted. The flaw affects version 22.1 and release 25. The issue does not affect users of Robot Runtime. The vulnerability is only relevant when developers are automating Google Chrome or Microsoft Edge through the Pega Browser Extension.", "description_and_impact": "A flaw in the Pega Browser Extension allows a developer to write arbitrary files on the system hosting Pega Robot Studio. The manufacturer notes that malicious code could be delivered via a web page that a developer visits while in interrogation mode. Because an attacker can write files, including potentially executable ones, this defect can lead to execution of arbitrary code or local privilege escalation. The weakness is classified as CWE-284, which indicates an unauthorized modification of system resources.", "risk_and_exploitability": "The CVSS score of 9 indicates a high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the vulnerability is considered high risk because it requires no advanced skills\u2014only a malicious web site accessed during interrogation mode. The flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation reports, yet the attack vector relies on user interaction. The product\u2019s support document provides a remediation path, which organisations should follow promptly to mitigate this risk."}}}}, "created": "2026-03-24T10:33:15.904313+00:00", "updated": "2026-03-25T20:37:07.604884+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_robot_studio"]}