CVE-2026-34768
Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electronnpm | < 38.8.6 | 38.8.6 |
electronnpm | >= 39.0.0-alpha.1, < 39.8.1 | 39.8.1 |
electronnpm | >= 40.0.0-alpha.1, < 40.8.0 | 40.8.0 |
electronnpm | >= 41.0.0-alpha.1, < 41.0.0-beta.8 | 41.0.0-beta.8 |
Affected products
14cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*+ 13 more
- cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
- cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*range: <38.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jfqx-fxh3-c62jghsaADVISORY
- github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62jnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34768ghsaADVISORY
News mentions
0No linked articles in our index yet.