CVE-2026-34775: Electron Node.js Integration Vulnerability
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34775 describes an issue in Electron where the `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. This can lead to workers spawned in frames configured with `nodeIntegrationInWorker: false` still receiving Node.js integration, potentially allowing for unintended access to Node.js functionalities. This issue affects Electron versions up to and including 38.8.6. The vulnerability has been addressed in Electron versions 41.0.0, 40.8.4, 39.8.4, and 38.8.6.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.4, 40.8.4 o 41.0.0 para mitigar la vulnerabilidad. Asegúrese de que la opción `nodeIntegrationInWorker` esté configurada correctamente para evitar la ejecución no intencionada de código Node.js en workers.
Frequently asked questions
What is CVE-2026-34775?
CVE-2026-34775 is a medium severity vulnerability in Electron where the `nodeIntegrationInWorker` webPreference is incorrectly scoped, potentially granting Node.js integration to unintended workers.
Am I affected by CVE-2026-34775?
You are affected if your Electron application uses `nodeIntegrationInWorker` and is running a version less than or equal to 38.8.6. Apps that do not use `nodeIntegrationInWorker` are not affected.
How do I fix CVE-2026-34775?
Upgrade to Electron version 41.0.0, 40.8.4, 39.8.4, or 38.8.6. Alternatively, avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free