Platform
chrome
Component
pega-browser-extension
Fixed in
22.1.1
25.0.1
CVE-2026-1078 describes an arbitrary file-write vulnerability discovered in the Pega Browser Extension (PBE). This flaw impacts users of Pega Robotic Automation version 22.1 or R25 who utilize Google Chrome or Microsoft Edge. A malicious website containing crafted code could be leveraged to exploit this vulnerability, allowing an attacker to write arbitrary files.
The primary impact of CVE-2026-1078 lies in the potential for an attacker to gain unauthorized write access to files on a user's system. By crafting a malicious website and enticing a Robot Runtime user to navigate to it, an attacker could inject arbitrary code or data. This could lead to data corruption, system compromise, or the execution of malicious commands. The blast radius extends to any system where the vulnerable Pega Browser Extension is installed and used within the Robotic Automation workflow. Successful exploitation could allow an attacker to escalate privileges and potentially gain control of the affected system.
CVE-2026-1078 was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability highlights the importance of carefully vetting third-party browser extensions and the websites they interact with, especially within automated workflows.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-1078 is to upgrade to a patched version of the Pega Browser Extension. Pega has not yet released a fixed version, so users should monitor Pega's security advisories for updates. As a temporary workaround, restrict Robot Runtime users from navigating to untrusted websites. Implement strict content security policies (CSP) within the Robotic Automation workflows to limit the resources that the browser extension can access. Regularly review and audit the websites that Robot Runtime users interact with.
Update the Pega Browser Extension (PBE) to a patched version. Refer to the Pegasystems security remediation note (https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note) for detailed instructions on how to mitigate this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1078 is a vulnerability in Pega Browser Extension allowing attackers to write arbitrary files via malicious websites, affecting versions 22.1–R25.
You are affected if you use Pega Robotic Automation version 22.1–R25 with the Pega Browser Extension and your Robot Runtime users navigate to untrusted websites.
Upgrade to a patched version of the Pega Browser Extension as soon as it becomes available. Monitor Pega's security advisories for updates.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Pega security advisories on the Pega website for the latest information and updates regarding CVE-2026-1078.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.