CVE-2026-34777
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.
Workarounds
In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0 pass the top-level page origin instead of the requesting iframe's origin to permission request handlers for fullscreen, pointerLock, keyboardLock, openExternal, and media permissions, allowing attackers to trick applications into granting sensitive permissions to embedded third-party content via social engineering or malicious iframe injection. Unauthenticated remote attackers can exploit this via user interaction (iframe load), with CVSS 5.4 indicating moderate confidentiality and integrity impact; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
Electron is a framework for building desktop applications using web technologies (Chromium + Node.js). When a frame within a webpage requests sensitive browser permissions (fullscreen, pointer lock, keyboard lock, external URL opening, or media access), Electron invokes the session.setPermissionRequestHandler() callback with a details object containing origin information. The vulnerability exists in the origin parameter passed to this handler-it incorrectly reflects the top-level document's origin (e.g., trusteddomain.com) rather than the origin of the requesting iframe (e.g., attacker.com embedded via <iframe src="https://attacker.com">). This is a logic flaw in CWE-346 (Origin Validation Error); the correct details.requestingUrl property is available but not used by vulnerable application code that relies on the origin parameter or webContents.getURL() for permission decisions.
RemediationAI
Upgrade Electron to one of the patched versions: 41.0.0 or later for version 41.x, 40.8.1 or later for version 40.x, 39.8.1 or later for version 39.x, or 38.8.6 or later for version 38.x. Immediately inspect your application's session.setPermissionRequestHandler() implementation and replace any permission grant decisions based on the origin parameter or webContents.getURL() with checks against details.requestingUrl instead; this workaround is effective even before upgrading and is the recommended defensive coding practice. Refer to the Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx for complete guidance.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-r5p7-gp4j-qhrx