logo

Database

Insecure service configuration - Certificates In electron

Description

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

    41.0.0-beta.8

    40.8.0

    39.8.1

    38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347682. NVD-2026-347683. OSV-2026-347684. GHSA-jfqx-fxh3-c62j5. GCVE-2026-34768

References

1. https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.