CVE-2026-34769: Electron WebPreferences RCE Vulnerability
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34769 describes a vulnerability in Electron related to the `commandLineSwitches` webPreference, potentially allowing arbitrary switches to be appended to the renderer process command line, leading to remote code execution. This can occur if applications construct `webPreferences` from untrusted input without proper sanitization, potentially disabling renderer sandboxing or web security controls. This affects Electron versions ≤38.8.6. The recommended workaround is to avoid spreading untrusted input directly into `webPreferences`.
How to fix
Actualice a una versión de Electron 38.8.6 o superior, 39.8.0 o superior, 40.7.0 o superior, o 41.0.0-beta.8 o superior. Evite construir webPreferences a partir de fuentes externas o no confiables sin una lista blanca de opciones permitidas.
Frequently asked questions
What is CVE-2026-34769?
CVE-2026-34769 is a vulnerability in Electron where untrusted input spread into `webPreferences` can allow arbitrary command line switches, potentially leading to remote code execution.
Am I affected by CVE-2026-34769?
You are affected if your Electron application constructs `webPreferences` by spreading untrusted configuration objects, particularly in Electron versions ≤38.8.6. Fixed, hardcoded `webPreferences` are not affected.
How can I fix or mitigate CVE-2026-34769?
To mitigate this vulnerability, avoid spreading untrusted input directly into `webPreferences`. Ensure that any configuration objects used to construct `webPreferences` are properly validated and sanitized.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free