Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

GHSA-xwr5-m59h-vwqr · CVE-2026-34775

Published Apr 3, 2026 · Modified Apr 6, 2026

Description

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions

41.0.0
40.8.4
39.8.4
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

References

WEB https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34775
PACKAGE https://github.com/electron/electron

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes