CVE-2026-34778
IPC Spoofing in Electron Service Workers Enables Data Manipulation
Publication date: 2026-04-04
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | to 38.8.6 (exc) |
| electronjs | electron | From 39.0.0 (inc) to 39.8.1 (exc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.1 (exc) |
| electronjs | electron | 41.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34778 is a moderate severity vulnerability in the Electron framework that affects certain versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
The issue occurs because a service worker running within a session can spoof reply messages on the internal IPC (Inter-Process Communication) channel used by the methods webContents.executeJavaScript() and webFrameMain.executeJavaScript().
This spoofing causes the main processβs promise to resolve with attacker-controlled data, meaning that applications which register service workers and rely on the results of executeJavaScript() for security-sensitive decisions may be tricked into accepting malicious data.
The vulnerability is due to insufficient verification of data authenticity and improper authentication, classified under CWE-290 (Authentication Bypass by Spoofing) and CWE-345 (Insufficient Verification of Data Authenticity).
How can this vulnerability impact me? :
This vulnerability can impact applications that use Electron with service workers registered and that rely on the results of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security-sensitive decisions.
An attacker can spoof reply messages on the internal IPC channel, causing the application to accept attacker-controlled data.
This can lead to serious security issues such as authentication bypass or other security failures where the integrity of data is compromised.
The CVSS v3.1 score indicates a moderate severity with a high integrity impact, meaning the attacker can modify data, but with low confidentiality impact and no denial of service.
Mitigation involves not trusting the return values of executeJavaScript() for security decisions and instead using dedicated, validated IPC channels for security-critical communication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a service worker spoofing reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods in Electron applications. Detection would require identifying if your Electron application is running a vulnerable version prior to 38.8.6, 39.8.1, 40.8.1, or 41.0.0 and if it registers service workers that use the results of executeJavaScript() in security-sensitive contexts.
Since the issue is internal to Electron's IPC mechanism and involves spoofed messages within the application process, there are no specific network commands or system-level commands provided to detect this vulnerability externally.
To check the Electron version used by your application, you can run commands such as:
- In the application directory, run `electron --version` or check the package.json dependencies for the Electron version.
- Inspect your application code or runtime environment to verify if service workers are registered and if webContents.executeJavaScript() results are used in security-sensitive decisions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade your Electron framework to one of the patched versions: 38.8.6, 39.8.1, 40.8.1, or 41.0.0.
Additionally, avoid trusting the return values of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for any security-sensitive decisions.
Instead, use dedicated and validated IPC channels for communication between the main process and renderer processes when security is critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attacker-controlled data to be accepted by applications relying on webContents.executeJavaScript() results for security-sensitive decisions, potentially leading to authentication bypass or other security failures.
Such security failures could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and authentication mechanisms to prevent unauthorized access or data manipulation.
Mitigation involves avoiding trust in executeJavaScript() return values for security decisions and using validated IPC channels, which helps maintain compliance by ensuring data authenticity and integrity.