Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34768 describes an unquoted path vulnerability in Electron applications on Windows. Specifically, when app.setLoginItemSettings({openAtLogin: true}) is used, the executable path is written to the Run registry key without proper quoting. This can lead to a local privilege escalation where an attacker with write access to an ancestor directory can cause a different executable to run at login. This affects Electron versions up to and including 38.8.6. Install the application to a path without spaces to mitigate.
CVE-2026-34768 affects Electron on Windows. The app.setLoginItemSettings({openAtLogin: true}) function wrote the executable path to the Run registry key without quoting. This means that if the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. The vulnerability lies in the improper handling of paths with spaces within the Windows registry, allowing for the substitution of the legitimate executable. While standard system directories are typically protected against writes by standard users, exploitation typically requires a non-standard installation or elevated privileges.
Exploitation of this vulnerability requires the attacker to have the ability to write to a parent directory of the Electron application's installation path. In standard Windows environments, this is unlikely due to security protections. However, if the application has been installed in a non-standard location or the attacker has obtained administrative access to the system, exploitation becomes more feasible. The attacker could create a malicious executable with the same name as the Electron application and place it in an accessible directory, then modify the Run registry key to point to this malicious executable. Upon login, instead of the legitimate Electron application, the malicious code would be executed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The solution to CVE-2026-34768 is to update Electron to version 38.8.6 or higher. This version corrects the vulnerability by ensuring that executable paths are written correctly to the Run registry key, including the use of quotes to handle paths with spaces. It is recommended to apply this update as soon as possible to mitigate the risk of unauthorized code execution during login. Additionally, review write permissions on the Electron application installation directories to ensure only authorized users can modify login settings. The update is the most effective preventative measure.
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.0 o 41.0.0-beta.8 o superior para mitigar la vulnerabilidad. Esta actualización corrige la falta de comillas en la ruta del ejecutable al registrar el elemento de inicio de sesión en Windows, previniendo la ejecución de ejecutables maliciosos.
Vulnerability analysis and critical alerts directly to your inbox.
Electron is a framework for building cross-platform desktop applications using web technologies like HTML, CSS, and JavaScript.
This update fixes a security vulnerability that could allow an attacker to execute malicious code at login.
If you can't update immediately, consider restricting write permissions on the Electron application's installation directory.
This vulnerability affects Electron applications that use the app.setLoginItemSettings({openAtLogin: true}) function and are installed in paths with spaces on Windows.
You can find more information about this vulnerability in the Electron security advisory and vulnerability databases like CVE.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.