CVE-2026-34769

HIGH
2026-04-03 https://github.com/electron/electron GHSA-9wfr-w7mm-pc7f
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:39 nvd
HIGH 7.7

Tags

RCE

Description

### Impact An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected. ### Workarounds Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])

Analysis

Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Electron-based applications in your environment and document which versions are in use; notify application vendors of exposure. Within 7 days: Implement input validation and sanitization for any application-level configuration objects passed to webPreferences; restrict users' ability to load external or user-supplied configuration files; review Electron security advisories for each affected application. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-34769 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy