Platform
javascript
Component
pega-browser-extension
Fixed in
3.1.45
CVE-2026-1079 describes a native messaging host vulnerability within the Pega Browser Extension (PBE), a component of Pega Robotic Automation. This flaw allows a malicious website to potentially trigger unexpected message box displays, impacting user experience and potentially leading to further exploitation. The vulnerability affects versions of PBE from 0.0.0 through 3.1.45, and a fix is available in version 3.1.45.
The primary impact of CVE-2026-1079 lies in the potential for a malicious website to trigger unexpected message boxes within the Pega Browser Extension. While the immediate impact might seem limited to a disruptive user experience, this vulnerability could be a stepping stone for more sophisticated attacks. An attacker could leverage the unexpected message box to trick users into revealing sensitive information or performing unintended actions. The blast radius extends to any user of Pega Robotic Automation who has the Pega Browser Extension installed and navigates to a compromised website. This vulnerability highlights the risks associated with native messaging hosts and the importance of secure browser extension development.
CVE-2026-1079 was publicly disclosed on 2026-04-07. There are currently no publicly known proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-1079 is to upgrade the Pega Browser Extension to version 3.1.45 or later. This updated version includes the necessary fixes to address the native messaging host vulnerability. If immediate upgrading is not feasible, consider temporarily restricting access to untrusted websites and reviewing browser extension permissions. While a WAF or proxy cannot directly mitigate this vulnerability, they can help prevent users from accessing known malicious websites. After upgrading, confirm the fix by navigating to a known safe website and verifying that no unexpected message boxes are displayed.
Update the Pega Browser Extension (PBE) to version 3.1.45 or higher to mitigate the vulnerability. Refer to the Pegasystems documentation for detailed instructions on how to update the extension and secure your environment.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1079 is a vulnerability in the Pega Browser Extension allowing malicious websites to trigger unexpected message boxes. It affects versions 0.0.0–3.1.45.
You are affected if you use Pega Robotic Automation and have the Pega Browser Extension installed in versions 0.0.0 through 3.1.45.
Upgrade the Pega Browser Extension to version 3.1.45 or later to resolve the vulnerability.
There are currently no publicly known active exploitation campaigns for CVE-2026-1079.
Please refer to the official Pega security advisory for detailed information and updates regarding CVE-2026-1079.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.