CVE-2026-34766
LOWSeverity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.
The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron's WebUSB device selection handler fails to validate chosen device IDs against renderer-requested filters, allowing authenticated local users with UI interaction to bypass intended device access restrictions and gain access to unfiltered USB devices. The vulnerability affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, with CVSS 3.3 (low severity) due to local-only attack vector and UI interaction requirement; the WebUSB security blocklist remains enforced, limiting practical impact to applications with non-standard device selection logic.
Technical ContextAI
Electron's WebUSB API implementation includes a device selection mechanism that presents users with a filtered list of USB devices based on the renderer process's requested filters and exclusion filters. The vulnerability exists in the select-usb-device event callback handler, which failed to validate that the device ID ultimately selected by the user matched the original filtered device set presented to them. This represents a missing authorization check (CWE-862: Missing Authorization) where the main process accepted a device selection without re-verifying it against the declared filter constraints. While the WebUSB security blocklist-a hardcoded list of security-sensitive devices like FIDO keys-remained enforced at a lower layer, the filter bypass allows access to devices outside the originally requested scope. The npm package 'electron' across multiple major versions contained this validation gap in its USB device enumeration and selection logic.
RemediationAI
Vendor-released patches are available for all supported versions: upgrade to Electron 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 depending on your current major version. No application-side workarounds exist; patching is mandatory. Review your application's WebUSB implementation and device selection logic after patching to ensure filters are correctly specified. Consult the official GitHub Security Advisory at https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj for version-specific upgrade guidance and contact security@electronjs.org with any questions.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9899-m83m-qhpj