CVE-2026-34765
Published: 07 April 2026
Summary
CVE-2026-34765 is a medium-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Electronjs Electron. Its CVSS base score is 6.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces access controls to scope named-window lookups to the opener's browsing context group, directly preventing unrelated renderers from navigating existing child windows.
CM-6 requires secure configuration of Electron's setWindowOpenHandler and webPreferences to avoid elevating privileges in child windows, mitigating exploitation in multi-trust-level window setups.
AC-6 applies least privilege to renderer processes and child windows, preventing inheritance of permissive settings like nodeIntegration or disabled sandboxing by navigated malicious content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables privilege escalation via cross-renderer window navigation to inherit elevated webPreferences and can facilitate arbitrary code execution when nodeIntegration is enabled.
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the…
more
opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Deeper analysisAI
CVE-2026-34765 is a vulnerability in the Electron framework, which enables cross-platform desktop applications using JavaScript, HTML, and CSS. In versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, Electron fails to properly scope named-window lookups to the opener's browsing context group when a renderer calls window.open() with a target name. This allows a renderer to navigate an existing child window opened by a different, unrelated renderer if both use the same target name. Affected applications are those that open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences, such as privileged preload scripts; applications using a single top-level window or not elevating child privileges remain unaffected. The issue is classified under CWE-668 with a CVSS v3.1 base score of 6.0 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L).
Exploitation requires an attacker with low privileges (PR:L) in a renderer process, such as an authenticated but untrusted renderer, to target an existing child window created by a higher-trust renderer using the same window name. By navigating that child window, the attacker's content can inherit the more permissive webPreferences configured via setWindowOpenHandler's overrideBrowserWindowOptions. This enables privilege escalation within the application's context. If the application additionally sets nodeIntegration: true or sandbox: false on child windows—contrary to security best practices—the attacker may achieve arbitrary code execution. The attack is network-vector (AV:N) but high complexity (AC:H), with no user interaction needed (UI:N) and changed scope (S:C) leading to low impacts on confidentiality, integrity, and availability.
The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8 details the fix implemented in versions 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, which correctly scopes window lookups to the opener's browsing context group. Security practitioners should upgrade affected Electron instances immediately and audit applications for multi-window setups with varying trust levels and custom setWindowOpenHandler configurations to prevent exposure.
Details
- CWE(s)