Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34767 describes a vulnerability in Electron applications that register custom protocol handlers or modify response headers. Attackers can inject malicious HTTP response headers if they can influence header values, potentially affecting cookies, content security policy, and cross-origin access controls. This vulnerability impacts Electron versions before 38.8.6, and a fix is available in version 38.8.6.
This vulnerability arises when Electron applications improperly handle external input when defining protocol handlers using protocol.handle() or protocol.registerSchemesAsPrivileged(), or when modifying response headers via webRequest.onHeadersReceived(). If an attacker can control input reflected into a response header name or value, they can inject arbitrary headers. Successful exploitation could lead to the manipulation of cookies, enabling session hijacking or unauthorized access. Furthermore, attackers could inject Content Security Policy (CSP) headers to bypass security restrictions or inject cross-origin resource sharing (CORS) headers to facilitate cross-site scripting (XSS) attacks. The blast radius is limited to applications with vulnerable implementations of protocol handling or header modification.
CVE-2026-34767 was publicly disclosed on 2026-04-03. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a POC is released. The EPSS score is likely to be low to medium, depending on the prevalence of vulnerable Electron applications.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34767 is to upgrade Electron to version 38.8.6 or later. If upgrading is not immediately feasible, carefully validate all external input used in response header names and values. Implement strict input sanitization and validation routines to prevent malicious characters or commands from being injected. Consider using a Web Application Firewall (WAF) or proxy to filter out potentially malicious HTTP headers. Regularly review Electron application code for insecure protocol handling or header modification practices. After upgrading, confirm the fix by testing the application with various input scenarios to ensure no unexpected header modifications occur.
Update Electron to version 38.8.6 or higher, 39.8.3 or higher, 40.8.3 or higher, or 41.0.3 or higher. Ensure you validate and sanitize any user-controlled input before using it in HTTP response header names or values to prevent header injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34767 is a medium-severity vulnerability in Electron versions before 38.8.6 that allows attackers to inject malicious HTTP response headers, potentially impacting cookies and security policies.
You are affected if you are using Electron versions prior to 38.8.6 and your application registers custom protocol handlers or modifies response headers using protocol.handle() or webRequest.onHeadersReceived().
Upgrade Electron to version 38.8.6 or later. If upgrading is not possible, validate all external input used in response headers to prevent malicious injection.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is released.
Refer to the official Electron security advisory for CVE-2026-34767 on the Electron website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.