Launch Week Day 1: Announcing Security Design Review
Start for Free
LOW 3.9 npm

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

GHSA-jfqx-fxh3-c62j · CVE-2026-34768

Published · Modified

Description

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes