CVE-2026-34769

High

Published: 04 April 2026

Published

04 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 0.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34769 is a high-severity Argument Injection (CWE-88) vulnerability in Electronjs Electron. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the flaw through patching Electron to versions 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 that secure the undocumented commandLineSwitches webPreference.

SI-10 Information Input Validation good match

prevent

Validates untrusted configuration objects spread into webPreferences to block injection of arbitrary switches that disable renderer sandboxing or web security controls.

CM-6 Configuration Settings good match

prevent

Enforces secure baseline configuration settings for Electron webPreferences using hardcoded values or strict allowlists, preventing acceptance of untrusted inputs that enable command line switch injection.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability in Electron allows injection of command-line switches to disable renderer sandboxing and web security, directly enabling exploitation of client applications for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that…

construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.

Deeper analysisAI

CVE-2026-34769 affects the Electron framework, which enables development of cross-platform desktop applications using JavaScript, HTML, and CSS. In versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented webPreference named commandLineSwitches permits arbitrary switches to be appended to the renderer process command line. This vulnerability impacts Electron-based applications that construct webPreferences by spreading untrusted configuration objects, without implementing an allowlist, potentially enabling attackers to inject switches that disable critical protections such as renderer sandboxing or web security controls. Applications using fixed, hardcoded webPreferences remain unaffected.

Exploitation requires local access (AV:L), high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R), with a CVSS v3.1 base score of 7.7 indicating high severity due to changed scope (S:C) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). An attacker could supply malicious configuration data—such as through external inputs or tampered files—to an affected application, tricking a user into loading it. Successful exploitation allows bypassing sandboxing and security features in the renderer process, potentially leading to arbitrary code execution or data exfiltration within the application's context. The issue maps to CWE-88 (Improper Neutralization of Argument Delimiters in a Command) and CWE-912 (Hidden Functionality).

The Electron security advisory (GHSA-9wfr-w7mm-pc7f) confirms patches in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, recommending that developers avoid spreading untrusted objects into webPreferences and instead use hardcoded configurations or strict allowlists for any dynamic inputs to prevent switch injection.

Details

CWE(s): CWE-88 CWE-912

Affected Products

electronjs

electron

41.0.0 · ≤ 38.8.6 · 39.0.0 — 39.8.0 · 40.0.0 — 40.7.0

CVEs Like This One

CVE-2026-34774Same product: Electronjs Electron

CVE-2026-34771Same product: Electronjs Electron

CVE-2026-34772Same product: Electronjs Electron

CVE-2026-34770Same product: Electronjs Electron

CVE-2026-34765Same product: Electronjs Electron

CVE-2026-34775Same product: Electronjs Electron

CVE-2026-34780Same product: Electronjs Electron

CVE-2026-34773Same product: Electronjs Electron

CVE-2026-34768Same product: Electronjs Electron

CVE-2026-34779Same product: Electronjs Electron

References

https://github.com/electron/electron/security/advisories/GHSA-9wfr-w7mm-pc7f
Vendor Advisory · security-advisories@github.com