CVE-2026-34769
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Impact
An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.
Workarounds
Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
Technical ContextAI
Electron is a framework for building cross-platform desktop applications using web technologies (Chromium + Node.js). The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters in a Command) involving an undocumented commandLineSwitches webPreference option. When applications dynamically construct BrowserWindow or webContents options using JavaScript spread operators on untrusted input, attackers can inject arbitrary Chromium command-line switches into renderer processes. Critical switches like --disable-web-security, --no-sandbox, or --disable-site-isolation-trials can fundamentally undermine Electron's security model by breaking renderer process isolation, disabling same-origin policy enforcement, or compromising the sandbox that prevents renderer code from accessing system resources. Affected package is pkg:npm/electron across versions prior to the fixed releases. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, reflecting sandbox escape potential.
RemediationAI
Upgrade Electron to patched versions: 41.0.0-beta.8 or later for 41.x beta users, 40.7.0 or later for 40.x stable branch, 39.8.0 or later for 39.x branch, or 38.8.6 or later for 38.x branch. For applications unable to upgrade immediately, implement strict input validation by creating an explicit allowlist of permitted webPreferences keys when constructing BrowserWindow or webContents options from external configuration sources. Refactor code to avoid using JavaScript spread operators or Object.assign on untrusted configuration objects directly into webPreferences. Instead, use defensive copying that only includes known-safe preference keys. Review all code paths where webPreferences are constructed from user-controlled files (config files, environment variables, command-line arguments) and apply allowlist validation. Complete technical guidance available in the official advisory at https://github.com/electron/electron/security/advisories/GHSA-9wfr-w7mm-pc7f. For additional security questions, contact security@electronjs.org.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9wfr-w7mm-pc7f