CVE-2026-34768

CVSS v3.1

3.9

Low

AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

41.0.0-beta.8
40.8.0
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-428

Related Identifiers

CVE-2026-34768

GHSA-JFQX-FXH3-C62J

Affected Products

Electron

CVE-2026-34768

Impact

Workarounds

Fixed Versions

For more information

Weakness Enumeration

Related Identifiers

Affected Products

References · 3