CVE-2026-34780
Published: 04 April 2026
Summary
CVE-2026-34780 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Electronjs Electron. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-34780 by requiring identification, reporting, and correction of the Electron context isolation bypass flaw through upgrading to patched versions 39.8.0, 40.7.0, or 41.0.0-beta.8.
Enforces secure configuration of Electron applications to avoid returning, resolving, or passing VideoFrame objects via contextBridge.exposeInMainWorld(), preventing the isolation bypass as apps not bridging these objects are unaffected.
Requires process isolation between Electron's main world and isolated preload contexts to limit unauthorized access to Node.js APIs despite the VideoFrame bridging bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Context isolation bypass grants access to Node.js APIs from renderer, directly enabling privilege escalation (T1068) and command execution via JavaScript (T1059.007).
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the…
more
contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.
Deeper analysisAI
Electron, a framework for developing cross-platform desktop applications using JavaScript, HTML, and CSS, is affected by CVE-2026-34780, a context isolation bypass vulnerability. This flaw impacts versions 39.0.0-alpha.1 through 39.7.999 (before 39.8.0), 40.0.0-alpha.1 through 40.6.999 (before 40.7.0), and 41.0.0-alpha.1 through 41.0.0-beta.7 (before 41.0.0-beta.8). It arises when applications pass VideoFrame objects from the WebCodecs API across the contextBridge, enabling unauthorized access between isolated renderer contexts and the main process.
An attacker who can execute arbitrary JavaScript in the main world—for instance, via cross-site scripting (XSS)—can leverage a bridged VideoFrame object to breach context isolation and access the isolated world. This grants privileges to any Node.js APIs exposed by the preload script. Exploitation requires the target application to explicitly return, resolve, or pass VideoFrame objects to the main world via contextBridge.exposeInMainWorld(); applications that do not bridge these objects are unaffected. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWEs 668 (Exposure of Resource to Wrong Sphere) and 1188 (Insecure Default Initialization of Resource).
The official Electron security advisory (GHSA-jfqg-hf23-qpw2) at https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2 confirms the issue and states that it has been addressed in Electron versions 39.8.0, 40.7.0, and 41.0.0-beta.8. Practitioners should verify and upgrade affected Electron-based applications to these patched releases or later to eliminate the bypass risk.
Details
- CWE(s)