CVE-2026-34766
Received Received - Intake
Improper Validation in Electron select-usb-device Event Allows Unauthorized USB Access

Publication date: 2026-04-04

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34766
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron From 39.0.0 (inc) to 39.8.0 (exc)
electronjs electron From 40.0.0 (inc) to 40.7.0 (exc)
electronjs electron to 38.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34766 is a vulnerability in the Electron framework related to the select-usb-device event callback.

The vulnerability occurs because the callback does not validate the chosen USB device ID against the filtered list that was presented to the handler.

This means an application, if it can influence the handler, might select a device ID outside the filtered set or exclusion filters, granting access to USB devices not intended to be accessible.

However, the WebUSB security blocklist is still enforced, so security-sensitive devices on that blocklist remain protected.

The practical impact is limited mostly to applications with unusual or custom device-selection logic.

This issue has been fixed in Electron versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.

Impact Analysis

If exploited, this vulnerability could allow an application to access USB devices that were not intended to be accessible based on the renderer's requested filters or exclusion filters.

This could lead to unauthorized access to certain USB devices, potentially exposing data or device functionality that should be restricted.

However, the impact is limited because the WebUSB security blocklist remains enforced, preventing access to security-sensitive devices.

Exploitation requires local access, low privileges, and user interaction, and the confidentiality and integrity impacts are considered low, with no impact on availability.

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability. The issue is related to the Electron framework's internal event callback handling and requires code-level inspection or version checking.

To detect if your system is vulnerable, you should check the version of Electron used by your applications. Versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8 are affected.

No network-based detection or specific commands are suggested in the provided information.

Mitigation Strategies

The primary mitigation step is to update the Electron framework to one of the patched versions: 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8.

No application-level workarounds exist, so upgrading Electron is necessary to resolve the issue.

Since exploitation requires local access, low privileges, and user interaction, limiting local access and user permissions can also reduce risk until the update is applied.

Compliance Impact

The vulnerability in Electron involves improper validation of USB device selection, potentially allowing access to devices outside the intended filtered list. However, the practical impact is limited to applications with unusual device-selection logic, and security-sensitive devices on the WebUSB blocklist remain protected.

Given the low confidentiality and integrity impact, and the requirement for local access and user interaction, this vulnerability poses a limited risk to data protection and privacy controls typically mandated by standards like GDPR or HIPAA.

Nonetheless, any unauthorized access to devices could potentially lead to data exposure or integrity issues, which might affect compliance if exploited in a sensitive environment. Remediation by updating to patched Electron versions is necessary to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart