CVE Vulnerabilities

CVE-2026-34775

Improper Isolation or Compartmentalization

Published: Apr 04, 2026 | Modified: Apr 22, 2026
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.8 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Ubuntu
root.io logo minimus.io logo echo.ai logo

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.

Weakness

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

Affected Software

NameVendorStart VersionEnd Version
ElectronElectronjs*38.8.6 (excluding)
ElectronElectronjs39.0.0 (including)39.8.4 (excluding)
ElectronElectronjs40.0.0 (including)40.8.4 (excluding)
ElectronElectronjs41.0.0-alpha1 (including)41.0.0-alpha1 (including)
ElectronElectronjs41.0.0-alpha2 (including)41.0.0-alpha2 (including)
ElectronElectronjs41.0.0-alpha3 (including)41.0.0-alpha3 (including)
ElectronElectronjs41.0.0-alpha4 (including)41.0.0-alpha4 (including)
ElectronElectronjs41.0.0-alpha5 (including)41.0.0-alpha5 (including)
ElectronElectronjs41.0.0-alpha6 (including)41.0.0-alpha6 (including)
ElectronElectronjs41.0.0-beta1 (including)41.0.0-beta1 (including)
ElectronElectronjs41.0.0-beta2 (including)41.0.0-beta2 (including)
ElectronElectronjs41.0.0-beta3 (including)41.0.0-beta3 (including)
ElectronElectronjs41.0.0-beta4 (including)41.0.0-beta4 (including)
ElectronElectronjs41.0.0-beta5 (including)41.0.0-beta5 (including)
ElectronElectronjs41.0.0-beta6 (including)41.0.0-beta6 (including)
ElectronElectronjs41.0.0-beta7 (including)41.0.0-beta7 (including)
ElectronElectronjs41.0.0-beta8 (including)41.0.0-beta8 (including)

Potential Mitigations

References