CVE-2026-34775
Published: 04 April 2026
Summary
CVE-2026-34775 is a medium-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Electronjs Electron. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation of the Electron flaw through patching to versions 38.8.6, 39.8.4, 40.8.4, or 41.0.0, fixing the nodeIntegrationInWorker scoping issue.
Ensures secure baseline configuration settings for Electron webPreferences, such as disabling nodeIntegrationInWorker globally or where unnecessary, preventing exploitation since apps not using it are unaffected.
Limits Electron to least functionality by restricting risky features like nodeIntegrationInWorker, reducing the attack surface even in configurations where it might be partially enabled.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses nodeIntegrationInWorker scoping in Electron, allowing unauthorized Node.js integration in workers via malicious content interaction; this directly enables client-side code execution (T1203) and malicious JavaScript execution with Node.js APIs (T1059.007).
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames…
more
configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.
Deeper analysisAI
CVE-2026-34775 is a vulnerability in the Electron framework, used for developing cross-platform desktop applications with JavaScript, HTML, and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference is not correctly scoped in all configurations. In certain process-sharing scenarios, this allows workers spawned in frames configured with nodeIntegrationInWorker: false to still receive Node.js integration. Only Electron applications that enable nodeIntegrationInWorker are affected; those that do not use this option remain unaffected.
Remote attackers with no privileges can exploit this issue via network access, though it requires high attack complexity and user interaction, as indicated by its CVSS v3.1 score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and association with CWE-653. Exploitation involves scenarios where a user interacts with malicious content in an affected application, potentially enabling the attacker to inject or spawn workers that gain unauthorized Node.js integration despite frame-level restrictions. Successful exploitation leads to high confidentiality and integrity impacts, such as unauthorized access to Node.js APIs.
The Electron security advisory (GHSA-xwr5-m59h-vwqr) at https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr confirms the patch in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, resolving the scoping issue for nodeIntegrationInWorker. Mitigation involves updating to these patched versions and reviewing application configurations to ensure nodeIntegrationInWorker is enabled only where necessary.
Details
- CWE(s)