Skip to main content

CVE-2026-34777

MEDIUM
Origin Validation Error (CWE-346)
2026-04-03 https://github.com/electron/electron GHSA-r5p7-gp4j-qhrx
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:44 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0 pass the top-level page origin instead of the requesting iframe's origin to permission request handlers for fullscreen, pointerLock, keyboardLock, openExternal, and media permissions, allowing attackers to trick applications into granting sensitive permissions to embedded third-party content via social engineering or malicious iframe injection. Unauthenticated remote attackers can exploit this via user interaction (iframe load), with CVSS 5.4 indicating moderate confidentiality and integrity impact; no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

Electron is a framework for building desktop applications using web technologies (Chromium + Node.js). When a frame within a webpage requests sensitive browser permissions (fullscreen, pointer lock, keyboard lock, external URL opening, or media access), Electron invokes the session.setPermissionRequestHandler() callback with a details object containing origin information. The vulnerability exists in the origin parameter passed to this handler-it incorrectly reflects the top-level document's origin (e.g., trusteddomain.com) rather than the origin of the requesting iframe (e.g., attacker.com embedded via <iframe src="https://attacker.com">). This is a logic flaw in CWE-346 (Origin Validation Error); the correct details.requestingUrl property is available but not used by vulnerable application code that relies on the origin parameter or webContents.getURL() for permission decisions.

RemediationAI

Upgrade Electron to one of the patched versions: 41.0.0 or later for version 41.x, 40.8.1 or later for version 40.x, 39.8.1 or later for version 39.x, or 38.8.6 or later for version 38.x. Immediately inspect your application's session.setPermissionRequestHandler() implementation and replace any permission grant decisions based on the origin parameter or webContents.getURL() with checks against details.requestingUrl instead; this workaround is effective even before upgrading and is the recommended defensive coding practice. Refer to the Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx for complete guidance.

Vendor StatusVendor

Share

CVE-2026-34777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy