CVE-2026-34768
Unquoted Path Vulnerability in Electron Allows Privilege Escalation
Publication date: 2026-04-04
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | to 38.8.6 (exc) |
| electronjs | electron | From 39.0.0 (inc) to 39.8.1 (exc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Electron framework on Windows when using the app.setLoginItemSettings({openAtLogin: true}) API. The issue is that the executable path is written to the Windows Run registry key without surrounding quotes. If the application is installed in a directory path containing spaces, Windows may misinterpret the unquoted path and execute a different, potentially malicious executable located in an ancestor directory.
Exploitation requires an attacker to have write access to an ancestor directory of the application's install path. On default Windows installations, system directories are protected, so exploitation usually requires a non-standard install location with lax directory permissions.
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element) and has been patched in Electron versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with write access to an ancestor directory to execute an arbitrary executable at user login instead of the intended Electron application. This could lead to unauthorized code execution with the privileges of the logged-in user.
However, exploitation requires local access with high privileges and a non-standard installation path with writable ancestor directories. The impact on confidentiality, integrity, and availability is considered low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Electron framework writing an unquoted executable path to the Windows Run registry key when using app.setLoginItemSettings({openAtLogin: true}). Detection involves checking the Run registry key entries for unquoted paths containing spaces.
- Inspect the Windows Run registry key entries for unquoted executable paths with spaces.
- Use PowerShell commands such as: Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Format-List to list startup entries.
- Look for entries where the executable path is not enclosed in quotes and contains spaces, which could indicate vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Electron to a patched version and ensuring the application is installed in a directory path without spaces.
- Upgrade Electron to version 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 or later, where the vulnerability is fixed.
- Install the application in a directory path that does not contain spaces to avoid unquoted path issues.
- Ensure all ancestor directories of the application path are protected against unauthorized write access to prevent attackers from placing malicious executables.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.