Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.
Published: 2026-04-03
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential code execution via unintended Node.js integration in workers
Action: Immediate Patch
AI Analysis

Impact

Electron applications that enable the nodeIntegrationInWorker option can unintentionally expose the Node.js runtime to web workers. Before the patched releases, the renderer process did not correctly scope this preference, allowing workers created in frames marked nodeIntegrationInWorker:false to still receive Node.js integration. This flaw enables an attacker to execute arbitrary JavaScript within the Node context, potentially leading to critical code‑execution or privilege escalation inside the desktop application. The weakness aligns with authorization bypass using privilege and improper restriction of operations categories.

Affected Systems

This vulnerability affects Electron framework versions older than 38.8.6, 39.8.4, 40.8.4 and 41.0.0 when the nodeIntegrationInWorker option is enabled. Applications that never enable this setting are not impacted. Developers should verify whether their projects set webPreferences.nodeIntegrationInWorker:true and upgrade if necessary.

Risk and Exploitability

The advisory assigns a CVSS score of 6.8, indicating moderate severity. The EPSS score is below 1%, suggesting a low exploitation probability, and the flaw is not listed in the KEV catalog. Based on the description, it is inferred that exploitation would require an attacker to supply a malicious worker script or otherwise inject code into an Electron app that has enabled nodeIntegrationInWorker. Because the vulnerability is local to the application runtime, it is most relevant to scenarios where an attacker has access to the host machine or compromised content within the app's renderer. Overall risk remains moderate with a low likelihood of exploitation.

Generated by OpenCVE AI on April 7, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6 or newer, 39.8.4 or newer, 40.8.4 or newer, or 41.0.0 or newer.
  • Verify that nodeIntegrationInWorker is disabled in any rendering contexts that do not require Node.js integration.

Generated by OpenCVE AI on April 7, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xwr5-m59h-vwqr Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
History

Wed, 22 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-266
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.
Title Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Weaknesses CWE-653
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T03:55:39.764Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34775

cve-icon Vulnrichment

Updated: 2026-04-06T15:53:00.458Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:18.597

Modified: 2026-04-22T17:49:37.773

Link: CVE-2026-34775

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T23:55:20Z

Links: CVE-2026-34775 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:16:23Z

Weaknesses