CVE-2026-34773: Electron Protocol Handler Hijacking on Windows
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34773 is a vulnerability in Electron on Windows where `app.setAsDefaultProtocolClient(protocol)` doesn't validate the protocol name, potentially allowing attackers to hijack existing protocol handlers by writing to arbitrary registry subkeys. This impacts applications that use untrusted input as the protocol name. Affected versions are Electron ≤38.8.6. A workaround is to validate the protocol name against `/^[a-zA-Z][a-zA-Z0-9+.-]*$/`.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.1 o 41.0.0 o superior. Asegúrese de que el nombre del protocolo utilizado en `app.setAsDefaultProtocolClient()` se derive de una fuente segura y no de entrada proporcionada por el usuario para evitar la inyección de claves de registro.
Frequently asked questions
What is CVE-2026-34773?
CVE-2026-34773 is a medium severity vulnerability in Electron on Windows that allows attackers to hijack protocol handlers by writing to the registry if an application uses untrusted input for the protocol name.
Am I affected by CVE-2026-34773?
You are affected if your Electron application on Windows calls `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps using hardcoded protocol names are not affected.
How can I fix or mitigate CVE-2026-34773?
Validate the protocol name matches the regular expression `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before calling `app.setAsDefaultProtocolClient()` to prevent malicious registry writes. No official patch available.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free