Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34773 is a vulnerability in Electron on Windows where app.setAsDefaultProtocolClient(protocol) doesn't validate the protocol name, potentially allowing attackers to hijack existing protocol handlers by writing to arbitrary registry subkeys. This impacts applications that use untrusted input as the protocol name. Affected versions are Electron ≤38.8.6. A workaround is to validate the protocol name against /^[a-zA-Z][a-zA-Z0-9+.-]*$/.
CVE-2026-34773 in Electron affects applications using app.setAsDefaultProtocolClient(protocol) on Windows. The issue lies in the function's lack of proper validation of the protocol name before writing to the Windows registry. This allows an attacker, if the application accepts protocol names from untrusted sources, to write to arbitrary subkeys under HKCU\Software\Classes\. This write could potentially allow hijacking of existing protocol handlers, leading to malicious code execution or redirection of the user to unwanted websites when attempting to open a link with a specific protocol. The vulnerability is only relevant if the protocol name is derived from external or untrusted input.
An attacker could exploit this vulnerability by crafting a malicious link that uses a specially designed protocol name. If a vulnerable application attempts to register this protocol as the default client, the attacker could write to the Windows registry, potentially compromising system configuration. The success of exploitation depends on the attacker's ability to trick the application into using an unvalidated protocol name. The complexity of exploitation can vary depending on the application's architecture and existing security measures.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate CVE-2026-34773 is to update to Electron version 38.8.6 or higher. This version includes proper validation of the protocol name before writing to the registry. If an immediate update isn't possible, it's recommended to thoroughly validate the user-provided protocol name before passing it to app.setAsDefaultProtocolClient(). Robust validation should include a whitelist of allowed protocols and reject any input that doesn't match this list. Additionally, review your application's code for any instances of using app.setAsDefaultProtocolClient() with externally sourced data and apply necessary validations.
Update Electron to version 38.8.6, 39.8.1, 40.8.1, or 41.0.0 or higher. Ensure that the protocol name used in `app.setAsDefaultProtocolClient()` is derived from a secure source and not from user-provided input to prevent registry key injection.
Vulnerability analysis and critical alerts directly to your inbox.
Electron is a framework for building cross-platform desktop applications using web technologies like HTML, CSS, and JavaScript.
Verify the version of Electron your application is using. If it's below version 38.8.6, it's vulnerable. Also, review the code to identify usage of app.setAsDefaultProtocolClient() with external data.
It's a Windows registry key that stores information about protocols and their associated handlers. Manipulation of this key can affect system behavior.
Depending on the desired functionality, there might be alternatives. Carefully consider the security implications of any alternative approach.
Implement thorough validation of the protocol name before passing it to app.setAsDefaultProtocolClient(). Use a whitelist of allowed protocols.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.