Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Electron: Malicious Code Can Bypass Security Settings
GHSA-9wfr-w7mm-pc7f
CVE-2026-34769
GHSA-9wfr-w7mm-pc7f
Summary
If you use Electron to build desktop apps, be careful when using user input to configure your app's settings. An attacker could trick your app into disabling security features by injecting malicious code into the app's settings. To fix this, only allow trusted settings to be used when configuring your app's security settings.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.0.
- Update electron to version 40.7.0.
- Update electron to version 41.0.0-beta.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.0 | 39.8.0 |
| – | electron | > 40.0.0-alpha.1 , <= 40.7.0 | 40.7.0 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0-beta.8 | 41.0.0-beta.8 |
Original title
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Original description
### Impact
An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected.
### Workarounds
Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration.
### Fixed Versions
* `41.0.0-beta.8`
* `40.7.0`
* `39.8.0`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected.
### Workarounds
Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration.
### Fixed Versions
* `41.0.0-beta.8`
* `40.7.0`
* `39.8.0`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
ghsa CVSS3.1
7.8
Vulnerability type
CWE-88
CWE-912
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026