CVE-2026-34767
Received Received - Intake
HTTP Response Header Injection in Electron Protocol Handlers

Publication date: 2026-04-04

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34767
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
electronjs electron to 38.8.6 (exc)
electronjs electron From 39.0.0 (inc) to 39.8.3 (exc)
electronjs electron From 40.0.0 (inc) to 40.8.3 (exc)
electronjs electron From 41.0.0 (inc) to 41.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability can allow an attacker to inject malicious HTTP response headers, which can affect the integrity of cookies, content security policies, and cross-origin access controls.

This can lead to security issues such as unauthorized access, bypassing security policies, or manipulation of user sessions. However, exploitation requires user interaction and specific conditions, and the confidentiality impact is low.

Executive Summary

CVE-2026-34767 is a moderate severity vulnerability in the Electron framework affecting versions prior to 38.8.6, 39.8.3, 40.8.3, and 41.0.3. It arises from HTTP response header injection when applications register custom protocol handlers or modify response headers and reflect attacker-controlled input into HTTP response header names or values without proper validation.

This improper handling allows an attacker to inject additional HTTP response headers, potentially manipulating cookies, Content Security Policy (CSP), or cross-origin resource sharing (CORS) controls. The root cause is the failure to neutralize special characters like carriage return and line feed in headers, enabling HTTP response splitting attacks.

Detection Guidance

This vulnerability involves HTTP response header injection when attacker-controlled input is reflected into HTTP response header names or values in Electron applications using custom protocol handlers or the webRequest API.

To detect this vulnerability on your system or network, you should monitor HTTP responses from Electron-based applications for unexpected or suspicious additional headers that could indicate header injection.

Since the issue arises from reflection of untrusted input into response headers, you can test by sending crafted requests with CRLF (Carriage Return and Line Feed) characters or other special sequences in inputs that might be reflected in headers, then inspect the HTTP responses for injected headers.

Commands or tools that can help include using curl or similar HTTP clients to send requests and observe headers, for example:

  • curl -v --header "X-Test: test%0d%0aInjected-Header: injected" http://target-application
  • Use a proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to inject CRLF sequences and observe if additional headers appear in responses.
  • Use network traffic analyzers like Wireshark to capture and analyze HTTP responses for unexpected headers.

Note that detection requires knowledge of which inputs might be reflected into headers, so testing should focus on inputs handled by custom protocol handlers or webRequest.onHeadersReceived modifications.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Electron to a patched version: 38.8.6, 39.8.3, 40.8.3, or 41.0.3 or later.
  • Validate and sanitize all untrusted input before including it in HTTP response header names or values to prevent injection of CRLF or other special characters.
  • Review application code that registers custom protocol handlers via protocol.handle() or protocol.registerSchemesAsPrivileged(), and code that modifies response headers via webRequest.onHeadersReceived, ensuring no external input is reflected without proper sanitization.
  • If upgrading immediately is not possible, consider disabling or restricting features that allow modification of response headers or custom protocol handlers until a patch can be applied.
Compliance Impact

This vulnerability allows an attacker to inject additional HTTP response headers, potentially manipulating cookies, Content Security Policy (CSP), or cross-origin resource sharing (CORS) controls. Such manipulation can lead to unauthorized access or data integrity issues.

Because the vulnerability can affect the integrity of HTTP headers and potentially expose or manipulate sensitive data, it may impact compliance with standards and regulations that require protection of personal data and secure handling of information, such as GDPR and HIPAA.

Mitigating this vulnerability by validating or sanitizing all untrusted input before including it in HTTP response headers is essential to maintain compliance with these regulations, which mandate appropriate security controls to protect data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart