CVE-2026-34765

Name of the Vulnerable Software and Affected Versions Electron versions prior to 39.8.5 Electron versions prior to 40.8.5 Electron versions prior to 41.1.0 Electron versions prior to 42.0.0-alpha.5

Description Electron did not correctly scope the named-window lookup to the opener's browsing context group when a renderer calls window.open() with a target name. This allowed a renderer to navigate an existing child window opened by a different renderer if both used the same target name. If the existing child window was created with more permissive webPreferences through setWindowOpenHandler's overrideBrowserWindowOptions, the content loaded by the second renderer inherited those permissions. Applications are affected only if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences, such as a privileged preload script. Applications that do not elevate child window privileges or use a single top-level window are not affected. Applications that grant nodeIntegration: true or sandbox: false to child windows may be exposed to arbitrary code execution.

Recommendations Update to Electron version 39.8.5 or later. Update to Electron version 40.8.5 or later. Update to Electron version 41.1.0 or later. Update to Electron version 42.0.0-alpha.5 or later. Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.