Skip to main content

CVE-2026-34766

LOW
Missing Authorization (CWE-862)
2026-04-03 https://github.com/electron/electron GHSA-9899-m83m-qhpj
3.3
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.3 LOW
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:36 nvd
LOW 3.3

DescriptionGitHub Advisory

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron's WebUSB device selection handler fails to validate chosen device IDs against renderer-requested filters, allowing authenticated local users with UI interaction to bypass intended device access restrictions and gain access to unfiltered USB devices. The vulnerability affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, with CVSS 3.3 (low severity) due to local-only attack vector and UI interaction requirement; the WebUSB security blocklist remains enforced, limiting practical impact to applications with non-standard device selection logic.

Technical ContextAI

Electron's WebUSB API implementation includes a device selection mechanism that presents users with a filtered list of USB devices based on the renderer process's requested filters and exclusion filters. The vulnerability exists in the select-usb-device event callback handler, which failed to validate that the device ID ultimately selected by the user matched the original filtered device set presented to them. This represents a missing authorization check (CWE-862: Missing Authorization) where the main process accepted a device selection without re-verifying it against the declared filter constraints. While the WebUSB security blocklist-a hardcoded list of security-sensitive devices like FIDO keys-remained enforced at a lower layer, the filter bypass allows access to devices outside the originally requested scope. The npm package 'electron' across multiple major versions contained this validation gap in its USB device enumeration and selection logic.

RemediationAI

Vendor-released patches are available for all supported versions: upgrade to Electron 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 depending on your current major version. No application-side workarounds exist; patching is mandatory. Review your application's WebUSB implementation and device selection logic after patching to ensure filters are correctly specified. Consult the official GitHub Security Advisory at https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj for version-specific upgrade guidance and contact security@electronjs.org with any questions.

Share

CVE-2026-34766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy