Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34766 is a security vulnerability affecting Electron applications. This flaw arises from insufficient validation of device IDs within the select-usb-device event callback, potentially granting access to devices outside the intended filter list. While the WebUSB security blocklist remains enforced, the practical impact is limited to applications with specific, unusual device selection logic. Affected versions are those prior to Electron 38.8.6, and a fix is available in that version.
The vulnerability allows a malicious application or compromised renderer to bypass device filters in WebUSB interactions. An attacker could potentially influence the application to select a device ID not included in the originally presented filter list or exclusion filters. This could lead to unauthorized access to USB devices, potentially exposing sensitive data or enabling malicious actions. While the WebUSB security blocklist continues to prevent access to security-sensitive devices, the flaw highlights a weakness in the application's device selection logic. The blast radius is limited to applications with custom device selection mechanisms, as standard applications are less likely to be affected.
CVE-2026-34766 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. The vulnerability was disclosed on 2026-04-03. Given the limited impact and lack of public exploits, the EPSS score is likely low.
Exploit Status
EPSS
0.02% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34766 is to upgrade Electron applications to version 38.8.6 or later. This version includes the necessary validation improvements to prevent unauthorized device selection. If upgrading is not immediately feasible, carefully review and strengthen the device selection logic within your application's select-usb-device event handler. Ensure that all selected device IDs are rigorously validated against the expected filter list before granting access. Consider implementing additional security checks and input validation to further reduce the risk of exploitation.
Update Electron to version 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 or later to mitigate the vulnerability. This update corrects the lack of validation of selected USB device IDs, preventing access to unauthorized devices.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34766 is a vulnerability in Electron where device IDs aren't properly validated, potentially allowing unauthorized USB device access. It's rated as CVSS 3.3 (LOW).
You are affected if you use Electron versions prior to 38.8.6 and your application has custom WebUSB device selection logic.
Upgrade your Electron application to version 38.8.6 or later. Review and strengthen your application's device selection logic if immediate upgrade isn't possible.
There are currently no publicly known active exploits for CVE-2026-34766, but it's still important to apply the fix.
Refer to the Electron security advisories on the Electron website for the most up-to-date information: [https://github.com/electron/electron/security/advisories](https://github.com/electron/electron/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.