GHSA-r5p7-gp4j-qhrx

Source

https://github.com/advisories/GHSA-r5p7-gp4j-qhrx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r5p7-gp4j-qhrx

Aliases

CVE-2026-34777

Published

2026-04-03T02:44:26Z

Modified

2026-04-03T03:04:57.582500Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Electron: Incorrect origin passed to permission request handler for iframe requests

Details

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T02:44:26Z",
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-346"
    ]
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.8.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

39.0.0-alpha.1

Fixed

39.8.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

40.0.0-alpha.1

Fixed

40.8.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

41.0.0-alpha.1

Fixed

41.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json"