GHSA-MWMH-MQ4G-G6GR
Vulnerability from github – Published: 2026-04-03 02:41 – Updated: 2026-04-06 23:10
VLAI
Summary
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Details
Impact
On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.
Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
Workarounds
Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
4.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "38.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0-alpha.1"
},
{
"fixed": "39.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "40.0.0-alpha.1"
},
{
"fixed": "40.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "41.0.0-alpha.1"
},
{
"fixed": "41.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34773"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T02:41:52Z",
"nvd_published_at": "2026-04-04T00:16:18Z",
"severity": "MODERATE"
},
"details": "### Impact\nOn Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\\Software\\Classes\\`, potentially hijacking existing protocol handlers.\n\nApps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.\n\n### Workarounds\nValidate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-mwmh-mq4g-g6gr",
"modified": "2026-04-06T23:10:51Z",
"published": "2026-04-03T02:41:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34773"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…