{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34767", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.555Z", "datePublished": "2026-04-03T23:43:09.327Z", "dateUpdated": "2026-04-06T19:07:57.198Z"}, "containers": {"cna": {"title": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 38.8.6", "status": "affected"}, {"version": ">= 39.0.0-alpha.1, < 39.8.3", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.8.3", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:43:09.327Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "source": {"advisory": "GHSA-4p4r-m79c-wq3v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:07:46.602540Z", "id": "CVE-2026-34767", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:57.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:07:46.602540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:52.702Z"}}], "cna": {"title": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest", "source": {"advisory": "GHSA-4p4r-m79c-wq3v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 38.8.6"}, {"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.3"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.8.3"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.3"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "name": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:43:09.327Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34767", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:07:57.198Z", "dateReserved": "2026-03-30T19:54:55.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T23:43:09.327Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "id": "CVE-2026-34767", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-04T00:16:17.337", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "electron: Electron: HTTP Response Header Injection via attacker-controlled input", "id": "2455000", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-140", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.", "A flaw was found in Electron, a framework used for developing cross-platform desktop applications. This vulnerability, known as HTTP response header injection, occurs when an application reflects attacker-controlled input into a response header. A remote attacker could exploit this to inject additional response headers, potentially compromising security controls like cookies, content security policy, or cross-origin access controls. This could lead to unauthorized data access or manipulation within affected applications. Apps that do not reflect external input into response headers are not affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34767", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-03T23:43:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34767\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34767\nhttps://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"], "threat_severity": "Moderate"}