Skip to main content

Microsoft EUVDEUVD-2026-19949

| CVE-2026-34765 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-07 https://github.com/electron/electron GHSA-f3pv-wv63-48x8
6.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Red Hat
7.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 07, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 16:00 euvd
EUVD-2026-19949
Analysis Generated
Apr 07, 2026 - 16:00 vuln.today
CVE Published
Apr 07, 2026 - 15:52 nvd
MEDIUM 6.0

DescriptionGitHub Advisory

Impact

When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.

Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.

Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.

Workarounds

Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.

Fixed Versions

  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5

For more information

If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron's window.open() handler fails to properly scope named-window lookups to the opener's browsing context group, allowing a renderer to hijack an existing child window opened by a different renderer and potentially inherit elevated webPreferences including privileged preload scripts. This affects Electron versions before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, and poses a remote code execution risk only in applications that open multiple top-level windows with differing trust levels and grant child windows elevated permissions via setWindowOpenHandler. No public exploit identified at time of analysis.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using web technologies (HTML, CSS, JavaScript). The vulnerability exists in Electron's renderer process implementation of the window.open() API. The root cause (CWE-668: Operation on Resource in the Wrong Phase of Lifetime) stems from improper scoping of the named-window lookup mechanism. When a renderer invokes window.open() with a target name, Electron should restrict the lookup to windows within that renderer's browsing context group (conceptually similar to browser same-origin policy). Instead, the renderer-side lookup was global across all windows, enabling cross-renderer window hijacking. When a second, untrusted renderer navigates an existing child window created by a trusted renderer, the child inherits the webPreferences (including preload scripts, nodeIntegration settings, sandbox configuration) of its original opener. The affected product is npm package 'electron' across multiple major/minor versions.

RemediationAI

Immediately upgrade to patched versions: Electron 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5 or later, selecting the version that matches your current major/minor branch. For applications still on older major versions without patches, apply the following workarounds: (1) Return { action: 'deny' } from setWindowOpenHandler in any renderer that loads untrusted content to completely block window.open() calls; (2) Avoid granting child windows more permissive webPreferences than their opener window; (3) Do not grant nodeIntegration:true or sandbox:false to child windows unless absolutely necessary and the content is fully trusted. See https://github.com/electron/electron/releases/tag/v39.8.5, https://github.com/electron/electron/releases/tag/v40.8.5, https://github.com/electron/electron/releases/tag/v41.1.0, and https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5 for patch details and https://github.com/advisories/GHSA-f3pv-wv63-48x8 for full advisory.

Vendor StatusVendor

Share

EUVD-2026-19949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy