Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation through renderer switch injection
Action: Apply Patch
AI Analysis

Impact

Electron applications that build the webPreferences object from untrusted data can inject arbitrary command line switches into the renderer process. The injected switches can disable sandboxing or web security controls, allowing a malicious user to elevate privileges or execute code within the renderer context. This vulnerability aligns with CWE‑88 (Command Injection) and CWE‑912 (Unvalidated URL Parameters).

Affected Systems

Electron framework versions prior to 38.8.6, 39.8.0, 40.7.0 and 41.0.0‑beta.8 are affected when the webPreferences configuration is constructed from external or untrusted input. Applications that use fixed, hard‑coded webPreferences are not impacted. The issue exists across all alpha and beta builds up to 41.0.0‑beta.8 as listed in the CPE identifiers.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS <1% suggests low current exploit probability. No known exploitation is listed in KEV, but attackers who can supply or modify the configuration data can enable the vulnerability. Once the renderer sandbox is disabled, an attacker can execute arbitrary code with the renderer’s privileges, potentially leading to system compromise. The attack requires local or remote control over application configuration; when such control is present, the risk is significant.

Generated by OpenCVE AI on April 9, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0‑beta.8 or later.
  • Validate and sanitize any external input used to build the webPreferences object, or implement an allowlist of permitted options.
  • If an upgrade is pending, explicitly clear or restrict the undocumented commandLineSwitches property when constructing webPreferences to prevent injection.

Generated by OpenCVE AI on April 9, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wfr-w7mm-pc7f Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Title Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Weaknesses CWE-88
CWE-912
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T03:55:35.188Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34769

cve-icon Vulnrichment

Updated: 2026-04-06T15:35:00.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:17.657

Modified: 2026-04-09T16:01:32.923

Link: CVE-2026-34769

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T23:33:55Z

Links: CVE-2026-34769 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:30Z

Weaknesses