CVE-2026-34778: Electron IPC Spoofing Vulnerability (<=38.8.6)
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34778 describes an IPC spoofing vulnerability in Electron. A service worker can spoof reply messages on the internal IPC channel, leading to the main process resolving promises with attacker-controlled data. This impacts applications that rely on the results of `webContents.executeJavaScript()` for security-sensitive decisions. Affected versions are Electron ≤38.8.6. Currently, there is no official patch available.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.1 o 41.0.0 o superior. Asegúrese de que las aplicaciones no tomen decisiones de seguridad basadas en los resultados de `webContents.executeJavaScript()` o `webFrameMain.executeJavaScript()` cuando se utilizan service workers.
Frequently asked questions
What is CVE-2026-34778?
CVE-2026-34778 is an IPC spoofing vulnerability in Electron that allows a service worker to manipulate reply messages on the internal IPC channel.
Am I affected by CVE-2026-34778?
You are affected if you are using Electron version ≤38.8.6 and your application uses service workers and relies on the result of `webContents.executeJavaScript()` for security decisions.
How can I fix or mitigate CVE-2026-34778?
Currently, there is no official patch. As a workaround, do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant tasks.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free