CVE-2026-34769
Command Line Injection in Electron Renderer via webPreferences
Publication date: 2026-04-04
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | From 39.0.0 (inc) to 39.8.0 (exc) |
| electronjs | electron | From 40.0.0 (inc) to 40.7.0 (exc) |
| electronjs | electron | to 38.8.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-912 | The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34769 is a vulnerability in the Electron framework related to an undocumented webPreference called `commandLineSwitches`. This preference allows arbitrary command-line switches to be appended to the renderer process command line.
The vulnerability occurs when applications construct the `webPreferences` object by spreading untrusted or external configuration objects without using an allowlist. This can enable attackers to inject switches that disable important security features such as renderer sandboxing or web security controls.
Applications that use fixed, hardcoded `webPreferences` objects are not affected by this issue. The vulnerability has been patched in Electron versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability of applications using affected Electron versions.
By injecting arbitrary command-line switches, an attacker can disable renderer sandboxing or web security controls, potentially allowing them to execute malicious code, access sensitive data, or disrupt application functionality.
The CVSS v3.1 base score is 7.7, indicating a high severity with local attack vector, high attack complexity, no privileges required, and user interaction needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying Electron applications that construct the webPreferences object by spreading untrusted or external configuration objects without an allowlist.
Specifically, you should look for usage of the undocumented commandLineSwitches webPreference that allows arbitrary command-line switches to be appended to the renderer process command line.
Since this vulnerability is related to application code and configuration rather than network traffic, detection commands would focus on inspecting the Electron app's source code or runtime configuration.
- Search the source code for instances where webPreferences are constructed by spreading external or untrusted objects, e.g., using JavaScript code patterns like `{ ...untrustedConfig }`.
- Check for presence of the undocumented `commandLineSwitches` key in webPreferences objects.
- If you have access to running Electron processes, inspect the command line arguments of renderer processes to detect unexpected switches that could disable sandboxing or web security.
No specific network commands or signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid constructing the webPreferences object by spreading untrusted or external configuration objects without an explicit allowlist.
Use explicit allowlists for permitted preference keys when creating BrowserWindow or webContents options from external configurations.
Ensure that your Electron application is updated to one of the patched versions: 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 or later.
Applications that use fixed, hardcoded webPreferences objects are not affected, so consider hardcoding these preferences where possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Electron allows attackers to inject command-line switches that can disable critical security features such as renderer sandboxing and web security controls. Such a compromise can lead to significant impacts on confidentiality, integrity, and availability of data processed by affected applications.
Because of the high confidentiality and integrity impact, applications affected by this vulnerability may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require strong protections for sensitive data and secure application behavior.
Mitigation requires developers to avoid using untrusted input when constructing webPreferences and to use explicit allowlists, thereby reducing the risk of unauthorized access or data breaches that could violate regulatory requirements.