electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers — most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) — were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.

Project Subscriptions

Vendors Products
Electron-userland Subscribe
Builder-util-runtime Subscribe
Electron-builder Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Electron-userland
Electron-userland builder-util-runtime
Electron-userland electron-builder
Vendors & Products Electron-userland
Electron-userland builder-util-runtime
Electron-userland electron-builder

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers — most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) — were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.
Title electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T13:26:49.397Z

Reserved: 2026-06-15T22:53:58.560Z

Link: CVE-2026-54673

cve-icon Vulnrichment

Updated: 2026-07-01T13:26:32.042Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T22:11:37Z

Links: CVE-2026-54673 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T17:15:04Z

Weaknesses