CVE-2026-34765
Window Navigation Confusion in Electron Enables Privilege Escalation
Publication date: 2026-04-07
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.2.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | to 39.8.4 (inc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.4 (inc) |
| electronjs | electron | From 41.0.0 (inc) to 41.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Electron framework versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. When a renderer process calls window.open() with a target name, Electron did not properly restrict the lookup of that named window to the same browsing context group as the opener. This flaw allows a renderer to navigate an existing child window that was originally opened by a different, unrelated renderer if both use the same target name.
If the existing child window was created with more permissive webPreferences (such as elevated privileges set via setWindowOpenHandler's overrideBrowserWindowOptions), the content loaded by the second renderer inherits those elevated permissions. This can lead to security issues especially if the application opens multiple top-level windows with different trust levels and grants elevated privileges to child windows.
Applications that do not elevate child window privileges or use only a single top-level window are not affected. However, if child windows are granted nodeIntegration: true or sandbox: false (which is against security recommendations), this vulnerability may allow arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability can impact applications by allowing a renderer process to gain elevated privileges unintentionally through a child window that was created with more permissive settings by another renderer. This can lead to unauthorized navigation and potentially arbitrary code execution if the application improperly grants nodeIntegration or disables sandboxing in child windows.
The impact includes potential loss of confidentiality, integrity, and availability of the application and its data, as indicated by the CVSS score which reflects low to medium severity with possible impacts on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Electron to one of the fixed versions: 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5.
Additionally, ensure that your application does not open multiple top-level windows with differing trust levels that use setWindowOpenHandler to grant child windows elevated webPreferences such as privileged preload scripts.
Avoid granting nodeIntegration: true or sandbox: false to child windows, as this can expose your app to arbitrary code execution.