Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cjzy-nxnq-ffdp
Vulnerability ID VCID-cjzy-nxnq-ffdp
Aliases CVE-2026-34775
GHSA-xwr5-m59h-vwqr
Summary Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-653 Improper Isolation or Compartmentalization
CWE-266 Incorrect Privilege Assignment
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-34775
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-xwr5-m59h-vwqr
cvssv3.1 6.8 https://github.com/electron/electron
generic_textual MODERATE https://github.com/electron/electron
cvssv3.1 6.8 https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
ssvc Track https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
cvssv3.1 6.8 https://nvd.nist.gov/vuln/detail/CVE-2026-34775
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34775
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34775
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
https://nvd.nist.gov/vuln/detail/CVE-2026-34775
2455023 https://bugzilla.redhat.com/show_bug.cgi?id=2455023
GHSA-xwr5-m59h-vwqr https://github.com/advisories/GHSA-xwr5-m59h-vwqr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:52:56Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34775
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01183
EPSS Score 0.0001
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T21:42:20.087983+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xwr5-m59h-vwqr/GHSA-xwr5-m59h-vwqr.json 38.1.0