Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Published: 2026-04-03
Score: 3.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution at login
Action: Apply patch
AI Analysis

Impact

Electron, a popular framework for building desktop applications, has a weakness classified as CWE-428 in which an unquoted program path can be written to the Windows Run registry key when a login item is enabled. Prior to specific patch releases, the path was stored without quotation marks, allowing an attacker who can write to an ancestor directory of the installation to alter the registered executable. When the user logs in, Windows will execute the attacker‑supplied program instead of the legitimate application, giving the attacker local code execution privileges at startup.

Affected Systems

Electron releases before 38.8.6, 39.8.1, 40.8.0, and 41.0.0‑beta.8 are affected. These include all earlier 38.x, 39.x, 40.x, and the beta series up to 41.0.0‑beta.7. The issue is limited to Windows platforms and only impacts applications that register a login item via the Run registry key.

Risk and Exploitability

The base CVSS score of 3.9 suggests low severity, and the EPSS score of less than 1% indicates a very small chance of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Practical exploitation requires the attacker to have write permission to a directory that is an ancestor of the application's installation path, which is typically restricted on a standard Windows installation. If the application is installed in a non‑standard location that the attacker can modify, or if the attacker already has local write capabilities, they can replace the intended executable with a malicious one, causing code to run with the logged‑in user’s privileges at startup.

Generated by OpenCVE AI on April 9, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Electron to a patched release such as 38.8.6, 39.8.1, 40.8.0, or 41.0.0‑beta.8 or newer.

Generated by OpenCVE AI on April 9, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfqx-fxh3-c62j Electron: Unquoted executable path in app.setLoginItemSettings on Windows
History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Title Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T19:08:58.533Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34768

cve-icon Vulnrichment

Updated: 2026-04-06T19:08:53.839Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:17.500

Modified: 2026-04-09T16:10:39.150

Link: CVE-2026-34768

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T23:44:55Z

Links: CVE-2026-34768 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:27Z

Weaknesses