CVE-2026-34775

CVSS v3.1

6.8

Medium

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions

41.0.0
40.8.4
39.8.4
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-653

Related Identifiers

CVE-2026-34775

GHSA-XWR5-M59H-VWQR

Affected Products

Electron

CVE-2026-34775

Impact

Workarounds

Fixed Versions

For more information

Weakness Enumeration

Related Identifiers

Affected Products

References · 3