CVE-2026-34777: Electron Origin Spoofing in Permission Requests
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34777 describes an origin spoofing vulnerability within Electron applications. When an iframe requests certain permissions, the origin passed to `session.setPermissionRequestHandler()` is the top-level page's origin instead of the iframe's. This can lead to apps inadvertently granting permissions to embedded third-party content. This affects Electron versions ≤38.8.6. No official patch is currently available.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.1 o 41.0.0 o superior. Verifique que su código no dependa de la origin del iframe para la autorización, sino que utilice `details.requestingUrl` para validar las solicitudes de permisos. Esto evitará que se otorguen permisos a contenido de terceros incrustado.
Frequently asked questions
What is CVE-2026-34777?
CVE-2026-34777 is an origin spoofing vulnerability in Electron where iframe permission requests may use the top-level page's origin instead of the iframe's.
Am I affected by CVE-2026-34777?
You are potentially affected if you are using Electron version ≤38.8.6 and your application grants permissions based on the origin parameter or `webContents.getURL()`.
How can I fix or mitigate CVE-2026-34777?
Currently, there is no official patch available. As a workaround, ensure your `setPermissionRequestHandler` checks `details.requestingUrl` to verify the requesting URL.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free