CVE-2026-34775
MEDIUM
GHSA-xwr5-m59h-vwqr
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
Analysis
Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today