Description
electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.
Published: 2026-06-30
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in electron-updater allows an attacker to inject an empty component into the LD_LIBRARY_PATH environment variable at runtime of an AppImage built by app-builder-lib. This results in the current working directory being added to the dynamic linker search path, giving the attacker the ability to place a malicious shared library next to the AppImage and cause the application to load and execute that code. The weakness is reflected by CWE‑427 and can lead to arbitrary code execution with the privileges of the AppImage process.

Affected Systems

The issue affects users of electron-userland:app-builder-lib and electron-builder that build AppImage targets before version 26.15.0. The vulnerability is specific to AppImage builds produced by app-builder-lib; all later releases from 26.15.0 onward are considered fixed.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity potential for remote code execution. Although EPSS data is not available, the lack of listing in the CISA KEV catalog suggests no publicly known exploits at this time. The attack requires the ability to place a malicious shared library in the directory from which an AppImage is launched or influence the LD_LIBRARY_PATH environment variable, which typically means a local adversary or one who can control the launch directory. Consequently, the risk is significant for installations that run untrusted AppImages from writable locations.

Generated by OpenCVE AI on June 30, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade electron-builder to version 26.15.0 or later, which removes the empty path component from LD_LIBRARY_PATH during AppImage launch.
  • Ensure that the LD_LIBRARY_PATH variable is cleared or set to a safe value before starting the AppImage so that the current working directory is not added to the linker search path.
  • As a temporary measure, avoid starting the AppImage from directories the user cannot control, or set file permissions to prevent writing new shared libraries in that launch directory.

Generated by OpenCVE AI on June 30, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.
Title electron-updater: Uncontrolled search path elements within `AppImage` built by `app-builder-lib`
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T22:15:03.264Z

Reserved: 2026-06-15T22:53:58.560Z

Link: CVE-2026-54672

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element