CVE-2026-34768

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8

Description On Windows, the app.setLoginItemSettings({openAtLogin: true}) function writes the executable path to the Run registry key without proper quoting. If the application is installed in a path containing spaces, an attacker with write access to an ancestor directory could potentially replace the intended application with a different executable that runs at login. Exploitation typically requires a non-standard installation location, as standard system directories are usually protected against unauthorized writes by standard users.

Recommendations Versions prior to 38.8.6: Update to version 38.8.6 or later. Versions prior to 39.8.1: Update to version 39.8.1 or later. Versions prior to 40.8.0: Update to version 40.8.0 or later. Versions prior to 41.0.0-beta.8: Update to version 41.0.0-beta.8 or later. As a workaround, install the application to a path without spaces or to a location where all ancestor directories are protected against unauthorized writes.