CVE-2026-34766

CVSS v3.1

3.3

Low

AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

41.0.0-beta.8
40.7.0
39.8.0
38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-34766

GHSA-9899-M83M-QHPJ

Affected Products

Electron

CVE-2026-34766

Impact

Workarounds

Fixed Versions

For more information

Weakness Enumeration

Related Identifiers

Affected Products

References · 3