CVE-2026-34768: Electron Unquoted Path RCE on Windows (≤38.8.6)
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34768 describes an unquoted path vulnerability affecting Electron applications on Windows. Specifically, when `app.setLoginItemSettings({openAtLogin: true})` writes the executable path to the `Run` registry key without proper quoting, it can lead to remote code execution (RCE). This issue affects Electron versions up to and including 38.8.6. A workaround is to install the application to a path without spaces.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34768?
CVE-2026-34768 is an unquoted path vulnerability in Electron on Windows. When an Electron application uses `app.setLoginItemSettings` to run at login, the executable path is written to the registry without quotes, potentially leading to RCE.
Am I affected by CVE-2026-34768?
You are likely affected if you are using Electron version 38.8.6 or earlier on Windows and your application is installed in a directory with spaces. An attacker with write access to an ancestor directory could exploit this vulnerability.
How do I fix or mitigate CVE-2026-34768?
To mitigate this vulnerability, install the Electron application to a path that does not contain spaces. Alternatively, install to a location where standard users do not have write access.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten