Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Electron: Malicious IFrame Can Get Unrestricted Browser Permissions
GHSA-r5p7-gp4j-qhrx
CVE-2026-34777
Summary
A security issue in Electron's permission system could allow malicious content within an iframe to gain access to browser features like screen control, keyboard control, and external links. To fix this, software developers should update to a patched version of Electron and check the requesting URL instead of the origin when granting permissions. All affected users should update Electron to version 41.0.0 or later.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.1.
- Update electron to version 40.8.1.
- Update electron to version 41.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.1 | 39.8.1 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.1 | 40.8.1 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0 | 41.0.0 |
Original title
Electron: Incorrect origin passed to permission request handler for iframe requests
Original description
### Impact
When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions, the origin passed to `session.setPermissionRequestHandler()` was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or `webContents.getURL()` may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via `details.requestingUrl`. Apps that already check `details.requestingUrl` are not affected.
### Workarounds
In your `setPermissionRequestHandler`, inspect `details.requestingUrl` rather than the origin parameter or `webContents.getURL()` when deciding whether to grant `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions, the origin passed to `session.setPermissionRequestHandler()` was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or `webContents.getURL()` may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via `details.requestingUrl`. Apps that already check `details.requestingUrl` are not affected.
### Workarounds
In your `setPermissionRequestHandler`, inspect `details.requestingUrl` rather than the origin parameter or `webContents.getURL()` when deciding whether to grant `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
ghsa CVSS3.1
5.4
Vulnerability type
CWE-346
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026