CVE-2026-43942
Analyzed Analyzed - Analysis Complete
Electerm Environment Variable Exposure via IPC Handler

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43942
EUVD
EUVD-2026-28514
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
electerm_project electerm to 3.8.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43942 is a vulnerability in Electerm, an open-source terminal and remote connection client. In versions 3.8.15 and earlier, the application exposes the entire environment variables (process.env) to the renderer process by serializing and sending them via the getConstants() IPC handler. This data is accessible through window.pre.env in the renderer, meaning any JavaScript running thereβ€”such as from malicious plugins or compromised webviewsβ€”can access sensitive secrets like cloud keys or API tokens.

An attacker who gains JavaScript execution in the renderer can easily steal these secrets and send them to a remote server, potentially leading to cloud account compromise, supply chain attacks, and lateral movement within networks.

At the time of publication, no public patches are available, and mitigations include avoiding sensitive environment variables when launching Electerm, clearing secrets before starting, auditing plugins, and restricting renderer capabilities.

Impact Analysis

This vulnerability can lead to the exposure of sensitive environment variables such as AWS keys, GitHub tokens, and API keys to attackers who gain JavaScript execution in the renderer process.

  • Cloud account compromise due to stolen credentials.
  • Supply chain attacks by abusing exposed secrets.
  • Lateral movement within an organization's network after initial compromise.

Because the vulnerability allows exfiltration of sensitive information without user interaction and with low attack complexity, it poses a moderate risk to confidentiality.

Detection Guidance

This vulnerability can be detected by checking if the Electerm application exposes the entire process.env object to the renderer process. One way to verify this is by opening the Electerm application and inspecting the 'Info' modal locally, where the environment variables are visible.

Additionally, if you have access to the renderer's JavaScript console (e.g., DevTools console), you can run the following command to check if the environment variables are exposed:

  • console.log(window.pre.env)

If this command outputs the environment variables, the vulnerability is present. Monitoring network traffic for suspicious exfiltration of environment variables may also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of sensitive environment variables when launching Electerm.

You can also use shell scripts to clear sensitive secrets from the environment before starting Electerm.

Auditing and disabling any unnecessary or untrusted plugins is recommended to reduce the risk of JavaScript execution within the renderer.

Furthermore, restricting renderer capabilities such as disabling remote debugging can help prevent attackers from accessing the exposed environment variables.

Compliance Impact

The vulnerability in Electerm exposes sensitive environment variables, including secrets such as AWS keys, GitHub tokens, or API keys, to any JavaScript running in the renderer process. This exposure can lead to unauthorized access and exfiltration of confidential information.

Such exposure of sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized disclosure.

However, the provided information does not explicitly discuss the direct impact on compliance frameworks or specific regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart