{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34767", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.555Z", "datePublished": "2026-04-03T23:43:09.327Z", "dateUpdated": "2026-04-06T19:07:57.198Z"}, "containers": {"cna": {"title": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 38.8.6", "status": "affected"}, {"version": ">= 39.0.0-alpha.1, < 39.8.3", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.8.3", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:43:09.327Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "source": {"advisory": "GHSA-4p4r-m79c-wq3v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:07:46.602540Z", "id": "CVE-2026-34767", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:57.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:07:46.602540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:52.702Z"}}], "cna": {"title": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest", "source": {"advisory": "GHSA-4p4r-m79c-wq3v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 38.8.6"}, {"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.3"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.8.3"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.3"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "name": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:43:09.327Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34767", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:07:57.198Z", "dateReserved": "2026-03-30T19:54:55.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T23:43:09.327Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "id": "CVE-2026-34767", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-04T00:16:17.337", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "electron: Electron: HTTP Response Header Injection via attacker-controlled input", "id": "2455000", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-140", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.", "A flaw was found in Electron, a framework used for developing cross-platform desktop applications. This vulnerability, known as HTTP response header injection, occurs when an application reflects attacker-controlled input into a response header. A remote attacker could exploit this to inject additional response headers, potentially compromising security controls like cookies, content security policy, or cross-origin access controls. This could lead to unauthorized data access or manipulation within affected applications. Apps that do not reflect external input into response headers are not affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34767", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-03T23:43:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34767\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34767\nhttps://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,38.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[39.0.0-alpha.1,39.8.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[40.0.0-alpha.1,40.8.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[41.0.0-alpha.1,41.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "electron", "source": "cna", "vendor": "electron"}, "product": "electron", "vendor": "electron"}], "analysis": {"en": {"generated_at": "2026-04-07T02:13:41.824749+00:00", "value": {"mitigation_remediation": ["Upgrade Electron to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or any later release that contains the patch.", "If an update is not immediately possible, review custom protocol and webRequest code to ensure that header names and values never incorporate untrusted input; apply input sanitization or validation as needed.", "Consider disabling custom protocol handlers or restricting their use if the application does not require them.", "Continuously monitor Electron security advisories for updates or additional mitigations."], "summary": {"action": "Immediate Patch", "impact": "HTTP Response Header Injection"}, "threat_synthesis": {"affected_systems": "Versions of Electron preceding 38.8.6, 39.8.3, 40.8.3 and 41.0.3 are impacted whenever applications register custom protocol handlers via protocol.handle() or protocol.registerSchemesAsPrivileged(), or use webRequest.onHeadersReceived to modify response headers. Applications that do not use external data in these headers are not affected, but the widest risk applies to desktop apps built with the most recent Electron releases prior to the mentioned patches.", "description_and_impact": "Electron applications that use custom protocol handlers or modify HTTP response headers may reflect attacker-controlled input into header names or values. This flaw allows an adversary to insert additional headers into responses, potentially altering cookies, content\u2011security\u2011policy, or cross\u2011origin access controls. The vulnerability arises from insufficient validation of header fields, which can be exploited through the vulnerable Electron APIs.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog and no public exploits have been reported. Exploitation requires an attacker to supply data that is incorporated into a header field, for example via a malicious custom protocol URI or crafted network request. If an application accepts such input without validation, the risk increases; otherwise the vulnerability remains contained."}}}}, "created": "2026-04-06T21:21:42.432554+00:00", "updated": "2026-04-07T07:16:28.680321+00:00", "vendors": ["electron", "electron$PRODUCT$electron"]}