PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34769 Electronjs CVE debrief

An undocumented webPreference named commandLineSwitches in Electron allowed arbitrary Chromium switches to be appended to the renderer process command line. Applications that construct webPreferences by spreading untrusted configuration objects—without an allowlist—could inadvertently let an attacker inject switches that disable renderer sandboxing or web security controls. This is a configuration-injection weakness (CWE-88/CWE-912) rather than a default-vulnerable code path; apps with hardcoded webPreferences are unaffected. The issue was disclosed on 2026-04-04 and last modified on 2026-06-01. Patches are available in Electron 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.

Vendor
Electronjs
Product
Electron
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-04
Original CVE updated
2026-06-01
Advisory published
2026-04-04
Advisory updated
2026-06-01

Who should care

Teams shipping Electron-based desktop applications that accept external or user-supplied configuration, especially those using dynamic webPreferences construction. Security auditors reviewing Electron app attack surfaces should also prioritize this finding.

Technical summary

Electron exposes a webPreference key called commandLineSwitches that was not publicly documented. When an application spreads an untrusted object into webPreferences (e.g., { ...untrustedConfig }), an attacker can supply a commandLineSwitches property containing arbitrary Chromium command-line switches. Because renderer processes inherit these switches, an attacker can disable security features such as the renderer sandbox or web security controls. The vulnerability requires local attack vector, high attack complexity, no privileges, and user interaction, with changed scope and high impacts on confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Electron to patched versions 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 (or later stable releases).
  • Audit application code for any construction of webPreferences via spread operators or Object.assign with untrusted/external input.
  • Implement an explicit allowlist for permitted webPreference keys; reject or strip any unexpected properties, especially commandLineSwitches.
  • If dynamic webPreferences are required, validate and sanitize each key-value pair against a known-safe schema before passing to Electron APIs.
  • Review renderer process launch arguments for unexpected switches that could indicate prior exploitation.
  • For applications that cannot immediately upgrade, avoid spreading untrusted objects into webPreferences and disable any user-controlled renderer configuration paths.

Evidence notes

The CVE description and NVD record identify the undocumented commandLineSwitches webPreference as the attack vector. CWE-88 (Argument Injection/Modification) and CWE-912 (Hidden Functionality) are listed as primary weaknesses. The GitHub Security Advisory is tagged as a vendor advisory. CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H yields a base score of 7.7 (HIGH).

Official resources

2026-04-04T00:16:17.657Z