CVE-2026-34767: Electron HTTP Header Injection Vuln <=38.8.6
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34767 describes an HTTP response header injection vulnerability affecting Electron applications. This flaw allows attackers to inject malicious headers by influencing header values, potentially compromising cookies, content security policies, or cross-origin access controls. The vulnerability affects Electron versions up to and including 38.8.6. Currently, there is no official patch available to address this issue.
How to fix
Actualice Electron a la versión 38.8.6 o superior, 39.8.3 o superior, 40.8.3 o superior, o 41.0.3 o superior. Asegúrese de validar y sanitizar cualquier entrada controlada por el usuario antes de usarla en nombres o valores de encabezados de respuesta HTTP para evitar la inyección de encabezados.
Frequently asked questions
What is CVE-2026-34767?
CVE-2026-34767 is an HTTP response header injection vulnerability in Electron applications that allows attackers to inject malicious headers by influencing header values.
Am I affected by CVE-2026-34767?
You are affected if you are using Electron version 38.8.6 or earlier and your application registers custom protocol handlers or modifies response headers reflecting external input.
How can I fix or mitigate CVE-2026-34767?
Currently, there is no official patch available. Mitigation involves carefully validating or sanitizing any external input that is reflected into response headers to prevent injection.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free