CVE-2026-34768
Published: 04 April 2026
Summary
CVE-2026-34768 is a low-severity Unquoted Search Path or Element (CWE-428) vulnerability in Electronjs Electron. Its CVSS base score is 3.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unquoted path vulnerability by requiring timely patching of affected Electron versions that properly quote executable paths in the Run registry key.
Enforces least privilege to restrict write access to ancestor directories of application installation paths, blocking the prerequisite for path hijacking exploitation.
Establishes and enforces policies restricting user-installed software like Electron apps to protected standard directories, eliminating writable ancestor directory risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unquoted executable path written to the Run registry key by app.setLoginItemSettings, directly enabling path interception by unquoted path for malicious executable substitution at login.
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app…
more
is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Deeper analysisAI
CVE-2026-34768 is a vulnerability in the Electron framework, which enables development of cross-platform desktop applications using JavaScript, HTML, and CSS. On Windows systems, versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8 improperly handle the `app.setLoginItemSettings({openAtLogin: true})` function by writing the application's executable path to the Run registry key without proper quoting. This issue, classified under CWE-428 (Unquoted Search Path or Element), affects applications that enable auto-start at login when installed in paths containing spaces.
Exploitation requires a local attacker with high privileges (PR:H) and write access to an ancestor directory of the application's installation path. On default Windows installations, standard system directories are protected from writes by standard users, limiting feasibility to non-standard installation locations. Successful exploitation allows the attacker to substitute a malicious executable that runs at user login instead of the intended application, potentially leading to limited confidentiality, integrity, and availability impacts as scored by CVSS 3.9 (AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).
The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j confirms the issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, recommending immediate upgrades for affected applications to mitigate the unquoted path risk.
Details
- CWE(s)