Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.7
Electron: Attackers can hijack Windows protocol handlers
GHSA-mwmh-mq4g-g6gr
CVE-2026-34773
Summary
If you're using Electron, check if you're passing untrusted input to the setAsDefaultProtocolClient method on Windows. If you are, an attacker could potentially take control of your app's protocol handlers. Update to version 41.0.0 or later to fix this issue.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.1.
- Update electron to version 40.8.1.
- Update electron to version 41.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.1 | 39.8.1 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.1 | 40.8.1 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0 | 41.0.0 |
Original title
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Original description
### Impact
On Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\Software\Classes\`, potentially hijacking existing protocol handlers.
Apps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
### Workarounds
Validate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
On Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\Software\Classes\`, potentially hijacking existing protocol handlers.
Apps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
### Workarounds
Validate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
ghsa CVSS3.1
4.7
Vulnerability type
CWE-20
Improper Input Validation
CWE-74
Injection
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026