HTTP Response Header Injection in Electron Framework Affects Several Versions
CVE-2026-34767

5.9MEDIUM

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34767?

The Electron Framework, used for creating cross-platform desktop applications, has a vulnerability in its handling of custom protocol handlers and response headers. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, the framework is susceptible to HTTP response header injection, allowing attackers to manipulate response headers if they can influence the input reflected in those headers. Successful exploitation could lead to severe consequences, including unauthorized changes to cookies, content security policies, or cross-origin access controls. Applications that do not reflect user input in response headers are not impacted by this issue, which has been resolved in the specified patched versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

electron < 38.8.6 < 38.8.6

electron >= 39.0.0-alpha.1, < 39.8.3 < 39.0.0-alpha.1, 39.8.3

electron >= 40.0.0-alpha.1, < 40.8.3 < 40.0.0-alpha.1, 40.8.3

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

JSON

Electron