Service Worker Spoofing Vulnerability in Electron Framework by GitHub
CVE-2026-34778

5.9MEDIUM

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34778?

The Electron framework, which supports the development of cross-platform desktop applications using JavaScript, HTML, and CSS, contains a service worker spoofing vulnerability that affects applications utilizing registered service workers. Prior to the fixes in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, an attacker could exploit this vulnerability to manipulate the internal IPC channel, specifically through the use of webContents.executeJavaScript() and related methods, leading to the resolution of main-process promises with potentially malicious data. This can compromise security-sensitive decisions within affected applications, making it crucial for developers to update to the patched versions to mitigate this risk.

Affected Version(s)

electron < 38.8.6 < 38.8.6

electron >= 39.0.0-alpha.1, < 39.8.1 < 39.0.0-alpha.1, 39.8.1

electron >= 40.0.0-alpha.1, < 40.8.1 < 40.0.0-alpha.1, 40.8.1

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34778 Data

JSON