CVE-2026-34775

MEDIUM6.8EPSS 0.01%

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

Published: 4/3/2026Modified: 4/6/2026

Description

### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])

Affected packages (1)

npm/electronfrom 0, < 38.8.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Description

Affected packages (1)

CVSS scores

References (3)