Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34775 is a vulnerability in Electron, a framework for building cross-platform desktop applications. This issue allows workers to potentially gain Node.js integration even when the nodeIntegrationInWorker web preference is set to false, leading to potential code execution. The vulnerability impacts Electron versions 38.0.0 through 40.8.4, and 41.0.0-alpha.1. A fix is available in Electron 38.8.6.
The core of this vulnerability lies in the incorrect scoping of the nodeIntegrationInWorker web preference within Electron. Specifically, in certain process-sharing scenarios, workers spawned in frames where nodeIntegrationInWorker is explicitly set to false can still inadvertently receive Node.js integration. This effectively bypasses the intended security restriction. An attacker could exploit this to inject and execute malicious JavaScript code within the worker context, potentially gaining control over the application and accessing sensitive data. The impact is amplified if the application handles sensitive user data or interacts with external systems, as the attacker could leverage the compromised worker to perform actions on behalf of the application.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of immediate widespread exploitation. However, the potential for remote code execution makes it a significant risk, particularly for applications with complex worker configurations. The NVD was published on 2026-04-03.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34775 is to upgrade to Electron version 38.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the nodeIntegrationInWorker feature entirely if it's not essential for the application's functionality. Alternatively, carefully review and restrict the permissions granted to workers to minimize the potential impact of a successful exploitation. While a direct WAF rule is unlikely to be effective, monitoring for unusual worker activity and unexpected Node.js calls within the application can provide an early warning sign of compromise. After upgrading, confirm the fix by verifying that workers spawned with nodeIntegrationInWorker: false do not have access to Node.js APIs.
Update Electron to version 38.8.6, 39.8.4, 40.8.4, or 41.0.0 to mitigate the vulnerability. Ensure that the `nodeIntegrationInWorker` option is configured correctly to prevent unintended Node.js code execution in workers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34775 is a vulnerability in Electron where workers can gain Node.js integration despite webPreference settings, potentially leading to code execution. It affects versions 38.0.0–>= 41.0.0-alpha.1, < 41.0.0.
You are affected if you use Electron versions 38.0.0 through 40.8.4, and 41.0.0-alpha.1, and your application utilizes workers and has nodeIntegrationInWorker enabled.
Upgrade to Electron version 38.8.6 or later. If upgrading isn't possible, disable nodeIntegrationInWorker or restrict worker permissions.
There are no confirmed active exploits at this time, but the potential for remote code execution makes it a significant risk.
Refer to the Electron security advisory for detailed information: [https://github.com/electron/electron/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/electron/electron/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.