Platform
javascript
Component
electron
Fixed in
39.8.6
40.0.1
41.0.1
42.0.1
CVE-2026-34765 is a security vulnerability affecting the Electron framework, used for building cross-platform desktop applications. This issue arises from an incorrect scoping of named-window lookups when using window.open() in renderers. Exploitation could allow a malicious renderer to navigate a child window opened by a different renderer, potentially leading to unauthorized actions. Affected versions include Electron 39.0.0 through 41.1.0 and 42.0.0-alpha.1 to 42.0.0-alpha.4; a fix is available in Electron 39.8.5.
The vulnerability allows a malicious renderer process to hijack a child window opened by another renderer if they share the same target name. This can lead to a variety of attacks, including unauthorized access to sensitive data, modification of application state, and potentially even code execution depending on the webPreferences of the hijacked window. An attacker could craft a malicious webpage that, when opened within an Electron application, exploits this flaw to gain control of other windows within the same application. The blast radius is limited to applications using Electron and sharing target names between renderer processes, but the potential impact on user data and application integrity is significant.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation in the wild, but the availability of a public description makes it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests that development of such exploits is likely.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Electron version 39.8.5 or later. If upgrading is not immediately feasible, consider implementing stricter controls on the target names used in window.open() calls to ensure uniqueness across renderer processes. Carefully review and restrict the webPreferences settings for windows opened with setWindowOpenHandler to minimize the potential impact of a hijacked window. Implement robust input validation and sanitization to prevent malicious scripts from manipulating target names. After upgrading, verify the fix by attempting to open windows with the same target name from different renderer contexts and confirming that navigation is restricted.
Update to version 39.8.5, 40.8.5, 41.1.0 or 42.0.0-alpha.5 or later. Review the use of `setWindowOpenHandler` to avoid granting excessive privileges to child windows. If possible, avoid using `nodeIntegration: true` or `sandbox: false` in child windows.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34765 is a medium severity vulnerability in Electron where a renderer can navigate a child window opened by another renderer using the same target name, potentially leading to unauthorized access.
You are affected if you are using Electron versions 39.0.0 through 41.1.0 or 42.0.0-alpha.1 to 42.0.0-alpha.4 and utilize shared target names in window.open() calls.
Upgrade to Electron version 39.8.5 or later. Consider stricter controls on target names and review webPreferences settings.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the Electron security advisories on the Electron GitHub repository for official details: https://github.com/electron/electron/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.