Skip to main content

Microsoft CVE-2026-34773

MEDIUM
Improper Input Validation (CWE-20)
2026-04-03 https://github.com/electron/electron GHSA-mwmh-mq4g-g6gr
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Red Hat
4.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:41 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using web technologies. On Windows, the setAsDefaultProtocolClient() API allows applications to register themselves as the default handler for custom protocol schemes (e.g., 'myapp://'). The vulnerability stems from insufficient input validation (CWE-20: Improper Input Validation) on the protocol name parameter before it is used to construct registry keys. Without validation, an attacker-controlled protocol name containing special characters or path traversal sequences can manipulate the registry write operation to target unintended subkeys under HKEY_CURRENT_USER\Software\Classes\, potentially overwriting legitimate protocol handler registrations. The affected CPE pkg:npm/electron indicates this affects the npm package across multiple major versions.

RemediationAI

Vendor-released patches are available: Electron 38.8.6, 39.8.1, 40.8.1, and 41.0.0 contain the fix. Applications must update to the appropriate patched version for their major version branch. As an interim workaround, applications should validate protocol names against the regular expression /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing them to app.setAsDefaultProtocolClient(); this ensures protocol names conform to RFC 3986 scheme syntax and prevents registry injection. Developers should also audit all callers of setAsDefaultProtocolClient() to identify whether untrusted input is being passed and apply the validation workaround immediately if such cases exist. For further guidance, contact security@electronjs.org or review https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr.

Vendor StatusVendor

Share

CVE-2026-34773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy