CVE-2026-34768: Electron Unquoted Path RCE on Windows (≤38.8.6)
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34768 describes an unquoted path vulnerability in Electron applications on Windows. Specifically, when `app.setLoginItemSettings({openAtLogin: true})` is used, the executable path is written to the `Run` registry key without proper quoting. This can lead to a local privilege escalation where an attacker with write access to an ancestor directory can cause a different executable to run at login. This affects Electron versions up to and including 38.8.6. Install the application to a path without spaces to mitigate.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.0 o 41.0.0-beta.8 o superior para mitigar la vulnerabilidad. Esta actualización corrige la falta de comillas en la ruta del ejecutable al registrar el elemento de inicio de sesión en Windows, previniendo la ejecución de ejecutables maliciosos.
Frequently asked questions
What is CVE-2026-34768?
CVE-2026-34768 is a low severity unquoted path vulnerability in Electron on Windows. It allows for potential remote code execution if an application is installed in a directory with spaces.
Am I affected by CVE-2026-34768?
You are potentially affected by CVE-2026-34768 if you are using Electron version 38.8.6 or earlier on Windows and your application is installed in a directory path containing spaces.
How do I fix or mitigate CVE-2026-34768?
To mitigate CVE-2026-34768, install the Electron application to a path without spaces, or to a location where standard users do not have write access.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free