Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.9
Electron: Malicious app can hijack login on Windows
GHSA-jfqx-fxh3-c62j
CVE-2026-34768
Summary
If an Electron app is installed in a folder with a space in its name, an attacker could trick Windows into running a different program at login. This could happen if the app is installed by a standard user on a non-standard Windows install. To fix, install the app in a secure location or avoid folders with spaces in their names.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.1.
- Update electron to version 40.8.0.
- Update electron to version 41.0.0-beta.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.1 | 39.8.1 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.0 | 40.8.0 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0-beta.8 | 41.0.0-beta.8 |
Original title
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Original description
### Impact
On Windows, `app.setLoginItemSettings({openAtLogin: true})` wrote the executable path to the `Run` registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.
On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
### Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
### Fixed Versions
* `41.0.0-beta.8`
* `40.8.0`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
On Windows, `app.setLoginItemSettings({openAtLogin: true})` wrote the executable path to the `Run` registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.
On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
### Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
### Fixed Versions
* `41.0.0-beta.8`
* `40.8.0`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
ghsa CVSS3.1
3.9
Vulnerability type
CWE-428
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026