CVE-2026-34765
Received Received - Intake
Window Navigation Confusion in Electron Enables Privilege Escalation

Publication date: 2026-04-07

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34765
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
electronjs electron 41.2.0
electronjs electron 42.0.0
electronjs electron 42.0.0
electronjs electron 42.0.0
electronjs electron 42.0.0
electronjs electron to 39.8.4 (inc)
electronjs electron From 40.0.0 (inc) to 40.8.4 (inc)
electronjs electron From 41.0.0 (inc) to 41.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Electron framework versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. When a renderer process calls window.open() with a target name, Electron did not properly restrict the lookup of that named window to the same browsing context group as the opener. This flaw allows a renderer to navigate an existing child window that was originally opened by a different, unrelated renderer if both use the same target name.

If the existing child window was created with more permissive webPreferences (such as elevated privileges set via setWindowOpenHandler's overrideBrowserWindowOptions), the content loaded by the second renderer inherits those elevated permissions. This can lead to security issues especially if the application opens multiple top-level windows with different trust levels and grants elevated privileges to child windows.

Applications that do not elevate child window privileges or use only a single top-level window are not affected. However, if child windows are granted nodeIntegration: true or sandbox: false (which is against security recommendations), this vulnerability may allow arbitrary code execution.

Impact Analysis

This vulnerability can impact applications by allowing a renderer process to gain elevated privileges unintentionally through a child window that was created with more permissive settings by another renderer. This can lead to unauthorized navigation and potentially arbitrary code execution if the application improperly grants nodeIntegration or disables sandboxing in child windows.

The impact includes potential loss of confidentiality, integrity, and availability of the application and its data, as indicated by the CVSS score which reflects low to medium severity with possible impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should update Electron to one of the fixed versions: 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5.

Additionally, ensure that your application does not open multiple top-level windows with differing trust levels that use setWindowOpenHandler to grant child windows elevated webPreferences such as privileged preload scripts.

Avoid granting nodeIntegration: true or sandbox: false to child windows, as this can expose your app to arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34765. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart