Skip to main content

CVE-2026-34769

HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-04-03 https://github.com/electron/electron GHSA-9wfr-w7mm-pc7f
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.7 (HIGH) 8.8 (HIGH)
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:39 nvd
HIGH 7.7

DescriptionNVD

Impact

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

Workarounds

Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using web technologies (Chromium + Node.js). The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters in a Command) involving an undocumented commandLineSwitches webPreference option. When applications dynamically construct BrowserWindow or webContents options using JavaScript spread operators on untrusted input, attackers can inject arbitrary Chromium command-line switches into renderer processes. Critical switches like --disable-web-security, --no-sandbox, or --disable-site-isolation-trials can fundamentally undermine Electron's security model by breaking renderer process isolation, disabling same-origin policy enforcement, or compromising the sandbox that prevents renderer code from accessing system resources. Affected package is pkg:npm/electron across versions prior to the fixed releases. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, reflecting sandbox escape potential.

RemediationAI

Upgrade Electron to patched versions: 41.0.0-beta.8 or later for 41.x beta users, 40.7.0 or later for 40.x stable branch, 39.8.0 or later for 39.x branch, or 38.8.6 or later for 38.x branch. For applications unable to upgrade immediately, implement strict input validation by creating an explicit allowlist of permitted webPreferences keys when constructing BrowserWindow or webContents options from external configuration sources. Refactor code to avoid using JavaScript spread operators or Object.assign on untrusted configuration objects directly into webPreferences. Instead, use defensive copying that only includes known-safe preference keys. Review all code paths where webPreferences are constructed from user-controlled files (config files, environment variables, command-line arguments) and apply allowlist validation. Complete technical guidance available in the official advisory at https://github.com/electron/electron/security/advisories/GHSA-9wfr-w7mm-pc7f. For additional security questions, contact security@electronjs.org.

Vendor StatusVendor

Share

CVE-2026-34769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy