{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34775", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.555Z", "datePublished": "2026-04-03T23:55:20.950Z", "dateUpdated": "2026-04-06T15:53:04.081Z"}, "containers": {"cna": {"title": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes", "problemTypes": [{"descriptions": [{"cweId": "CWE-653", "lang": "en", "description": "CWE-653: Improper Isolation or Compartmentalization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 38.8.6", "status": "affected"}, {"version": ">= 39.0.0-alpha.1, < 39.8.4", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.8.4", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:55:20.950Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0."}], "source": {"advisory": "GHSA-xwr5-m59h-vwqr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:52:56.041429Z", "id": "CVE-2026-34775", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:53:04.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34775", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:52:56.041429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:53:00.458Z"}}], "cna": {"title": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes", "source": {"advisory": "GHSA-xwr5-m59h-vwqr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 38.8.6"}, {"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.4"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.8.4"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.0"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "name": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-653", "description": "CWE-653: Improper Isolation or Compartmentalization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:55:20.950Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34775", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:53:04.081Z", "dateReserved": "2026-03-30T19:54:55.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T23:55:20.950Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0."}], "id": "CVE-2026-34775", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-04T00:16:18.597", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Electron: Electron: Arbitrary code execution and information disclosure due to incorrect Node.js integration scoping", "id": "2455023", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455023"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-266", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.", "A flaw was found in Electron, a framework for building desktop applications. In specific scenarios where applications enable Node.js integration, a misconfiguration could allow workers, which are background scripts, to gain Node.js capabilities even when explicitly disabled. This could enable a remote attacker to execute arbitrary code or access sensitive information within the application. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34775", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-03T23:55:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34775\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34775\nhttps://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr"], "threat_severity": "Moderate"}