Skip to main content

Red Hat CVE-2026-34767

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-03 https://github.com/electron/electron GHSA-4p4r-m79c-wq3v
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:37 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions

  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.

Technical ContextAI

The vulnerability exists in Electron's protocol handling and web request interception mechanisms. When applications register custom protocol handlers via protocol.handle() or protocol.registerSchemesAsPrivileged(), or modify response headers via webRequest.onHeadersReceived event handlers, unsanitized external input can be directly injected into HTTP response header names or values. This is a classic header injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an HTTP Header) where newline characters or header-delimiter syntax in attacker-controlled data allow injection of additional headers. The root cause is insufficient input validation before headers are constructed and sent to clients. The vulnerability is specific to Electron npm packages across multiple major versions.

RemediationAI

Upgrade to patched versions: Electron 41.0.3 or later, 40.8.3 or later, 39.8.3 or later, or 38.8.6 or later. As a workaround, validate and sanitize all untrusted input before including it in response header names or values; specifically, reject or escape input containing newline characters (CR/LF) and other HTTP header delimiters. For applications using webRequest.onHeadersReceived, implement strict allowlisting of header values and sanitize any dynamic content. Refer to the GitHub Security Advisory at https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v for additional context.

Vendor StatusVendor

Share

CVE-2026-34767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy