Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Published: 2026-04-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Permission Grant via Incorrect Origin
Action: Patch
AI Analysis

Impact

The flaw causes Electron to pass the top‑level page’s origin instead of the iframe’s origin when a fullscreen, pointer lock, keyboard lock, open external, or media request is made. Applications that grant permissions based on the origin parameter or the result of webContents.getURL() may therefore incorrectly grant elevated rights to third‑party iframe content. The mistake enables the application to give sensitive privileges to embedded sites without the user’s explicit consent.

Affected Systems

Electron framework releases prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0 are affected. Developers who have built desktop applications with those releases and who rely on origin‑based permission checks are within scope. The issue pertains exclusively to the Electron:electron product and does not involve other vendors’ software.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity. No EPSS score is provided and the flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply or control an iframe within the application and rely on the application’s permission handling logic. If the application correctly checks the details.requestingUrl field, the vulnerability is effectively mitigated. Therefore, the practical risk is moderate when such checks are in place, but higher if the application grants based on the incorrect origin.

Generated by OpenCVE AI on April 4, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or later

Generated by OpenCVE AI on April 4, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5p7-gp4j-qhrx Electron: Incorrect origin passed to permission request handler for iframe requests
History

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Title Electron: Incorrect origin passed to permission request handler for iframe requests
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:33:30.315Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34777

cve-icon Vulnrichment

Updated: 2026-04-06T15:33:21.008Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:18.907

Modified: 2026-04-20T14:19:18.090

Link: CVE-2026-34777

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T23:57:36Z

Links: CVE-2026-34777 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:10Z

Weaknesses