Skip to main content

CVE-2026-34778

MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-04-03 https://github.com/electron/electron GHSA-xj5x-m3f3-5x3h
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:44 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron's service worker implementation allows spoofing of internal IPC reply messages, enabling a malicious service worker to inject attacker-controlled data into the main process's promise resolution from webContents.executeJavaScript() and related methods. This affects Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6, and impacts only applications that register service workers and rely on executeJavaScript() return values for security decisions. The vulnerability requires local authenticated access and medium attack complexity, with no public exploit code or active exploitation confirmed at analysis time.

Technical ContextAI

Electron's webContents.executeJavaScript() and webFrameMain.executeJavaScript() methods use an internal IPC (Inter-Process Communication) channel to transmit code execution results from the renderer process back to the main process. The vulnerability stems from insufficient validation of reply messages on this internal channel (CWE-290: Improper Input Validation), allowing a service worker-which runs within the renderer process context-to craft and inject spoofed messages that the main process accepts as legitimate responses. This breaks the trust boundary between the renderer and main process for security-critical data flows. The NPM package 'electron' across multiple versions (before the fixed versions) is affected, as indicated by the CPE identifiers.

RemediationAI

Upgrade Electron to version 41.0.0 or later (recommended for active development), or to the latest patch version within your supported release line: 40.8.1 for the 40.x branch, 39.8.1 for the 39.x branch, or 38.8.6 for the 38.x branch. As an interim workaround before patching, do not use the return value of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security decisions; instead, implement dedicated and validated IPC channels (using ipcMain/ipcRenderer with explicit message validation) for all security-relevant communication between renderer and main processes. Applications not using service workers or not relying on executeJavaScript() for security logic face minimal real-world risk. Consult https://github.com/advisories/GHSA-xj5x-m3f3-5x3h for additional context.

Vendor StatusVendor

Share

CVE-2026-34778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy