Question
Nationwide Building Society
GB
Last activity: 2 Feb 2026 4:50 EST
CAD-D992: NATWBS - A26: Pega RPA – Pega Browser Extension (PBE) Vulnerability as pertaining to citrix servers
Does the vulnerability as stated in CAD-D992 released 21 Jan also apply to PBE's which are installed on citrix servers?
We are taking immediate measures to package the 22.1.53 runtime with the new 3.1.45 PBE to mitigate the security issue
We also have a citrix server farm which currently hosts the 22.1.53 runtime which has the 3.1.40 PBE
We will be upgrading the entire farm with the new 3.1.45 PBE so this new issue will be mitigated in due course
However we need to complete an immediate risk assessment on the current citrix server pega software configuration
Because citrix is a more secure environment we want to understand whether this new security vulnerability applies also to PBE's installed on citrix
Thank you
Rich Bien
Accepted Solution
Updated: 2 Feb 2026 4:50 EST
HCA Healthcare
US
@RichardB3397 Treat every Citrix server that currently has Pega Browser Extension 3.1.40 installed as affected, because hosting the browser on Citrix does not change the extension’s code or exposure path.
Update your risk assessment by marking the entire Citrix gold image and all cloned hosts as vulnerable until the extension version is replaced.
Immediately remove PBE 3.1.40 from the Citrix base image and deploy the runtime package that includes PBE 3.1.45 across the full farm.
After deployment, validate on live Citrix sessions that the installed extension version is 3.1.45 on each server and that 3.1.40 cannot load.
Once every Citrix session runs PBE 3.1.45, record the vulnerability as mitigated for Citrix and close the immediate risk assessment.
Document the residual risk period as the time window between identifying 3.1.40 in the farm and completing the 3.1.45 rollout.