logo

Database

Improper authorization control for web services In electron

Description

Electron: USB device selection not validated against filtered device list

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

    41.0.0-beta.8

    40.7.0

    39.8.0

    38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347662. NVD-2026-347663. OSV-2026-347664. GHSA-9899-m83m-qhpj5. GCVE-2026-34766

References

1. https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-NYBNY – Vulnerability | Fluid Attacks Database