Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34777 describes an origin spoofing vulnerability within Electron applications. When an iframe requests certain permissions, the origin passed to session.setPermissionRequestHandler() is the top-level page's origin instead of the iframe's. This can lead to apps inadvertently granting permissions to embedded third-party content. This affects Electron versions ≤38.8.6. No official patch is currently available.
CVE-2026-34777 in Electron affects how permission requests are handled within iframes. Specifically, when an iframe requests permissions like fullscreen, pointer lock, keyboard lock, openExternal, or media access, Electron was using the top-level page's origin instead of the requesting iframe's origin when processing these requests via session.setPermissionRequestHandler(). This means an application relying on the origin to determine whether to grant a permission could inadvertently grant permissions to embedded third-party content, potentially leading to privilege escalation or unauthorized access to sensitive resources.
An attacker could exploit this vulnerability by injecting malicious code into an iframe within an Electron application. This code could request sensitive permissions (such as camera or microphone access), and due to the origin handling error, the application might grant these permissions to the malicious code. This could allow the attacker to spy on the user, steal confidential information, or perform other malicious actions on behalf of the user. The likelihood of exploitation depends on the prevalence of vulnerable Electron applications and the ease with which attackers can inject malicious code into iframes.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to upgrade to Electron version 38.8.6 or higher. This version corrects the issue by ensuring that session.setPermissionRequestHandler() receives the correct origin of the requesting iframe. Developers are strongly encouraged to update their Electron applications as soon as possible to mitigate the risk. Additionally, it's recommended to review and strengthen permission control logic to ensure it relies on robust criteria and not solely on the origin, especially when dealing with third-party content. Regularly monitoring dependencies and applying security patches is an essential practice for maintaining Electron application security.
Update Electron to version 38.8.6, 39.8.1, 40.8.1, or 41.0.0 or higher. Ensure your code does not rely on the iframe's origin for authorization, but instead uses `details.requestingUrl` to validate permission requests. This will prevent permissions from being granted to embedded third-party content.
Vulnerability analysis and critical alerts directly to your inbox.
Electron is a framework for building cross-platform desktop applications using web technologies like HTML, CSS, and JavaScript.
This update fixes a security vulnerability that could allow malicious content to obtain unauthorized permissions within an Electron application.
If you can't update immediately, carefully review your permission control code and ensure it doesn't solely rely on the origin to determine whether to grant a permission.
If you are using a version of Electron prior to 38.8.6, your application is vulnerable to this vulnerability.
You can find more information about this vulnerability on the Electron website and in vulnerability databases like CVE.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.