Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
Electron: Unsecured Node.js Integration in Shared Processes
GHSA-xwr5-m59h-vwqr
CVE-2026-34775
Summary
Electron apps that enable Node.js integration in shared processes may be vulnerable to security risks. If you use Electron, avoid enabling Node.js integration in apps that open child windows or embed content with different settings. Update to Electron version 41.0.0 or later.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.4.
- Update electron to version 40.8.4.
- Update electron to version 41.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.4 | 39.8.4 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.4 | 40.8.4 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0 | 41.0.0 |
Original title
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Original description
### Impact
The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.
Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.
### Workarounds
Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.
### Fixed Versions
* `41.0.0`
* `40.8.4`
* `39.8.4`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.
Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.
### Workarounds
Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.
### Fixed Versions
* `41.0.0`
* `40.8.4`
* `39.8.4`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
ghsa CVSS3.1
6.8
Vulnerability type
CWE-653
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026