CVE-2026-34777

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0

Description Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin instead of the requesting iframe's origin. Applications that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL is available via details.requestingUrl. Applications that already check details.requestingUrl are not affected.

Recommendations Update to Electron version 38.8.6 or later. Update to Electron version 39.8.1 or later. Update to Electron version 40.8.1 or later. Update to Electron version 41.0.0 or later. Inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.