{"id":"GHSA-f3pv-wv63-48x8","summary":"Electron: Named window.open targets not scoped to the opener's browsing context","details":"### Impact\nWhen a renderer calls `window.open()` with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive `webPreferences` (via `setWindowOpenHandler`'s `overrideBrowserWindowOptions`), content loaded by the second renderer inherits those permissions.\n\nApps are only affected if they open multiple top-level windows with differing trust levels **and** use `setWindowOpenHandler` to grant child windows elevated `webPreferences` such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.\n\nApps that additionally grant `nodeIntegration: true` or `sandbox: false` to child windows (contrary to the [security recommendations](https://www.electronjs.org/docs/latest/tutorial/security)) may be exposed to arbitrary code execution.\n\n### Workarounds\nDeny `window.open()` in renderers that load untrusted content by returning `{ action: 'deny' }` from `setWindowOpenHandler`. Avoid granting child windows more permissive `webPreferences` than their opener.\n\n### Fixed Versions\n* `42.0.0-alpha.5`\n* `41.1.0`\n* `40.8.5`\n* `39.8.5`\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)","aliases":["CVE-2026-34765"],"modified":"2026-04-08T12:08:27.365316Z","published":"2026-04-07T15:52:25Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-668"],"nvd_published_at":"2026-04-07T22:16:22Z","github_reviewed_at":"2026-04-07T15:52:25Z"},"references":[{"type":"WEB","url":"https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34765"},{"type":"PACKAGE","url":"https://github.com/electron/electron"},{"type":"WEB","url":"https://github.com/electron/electron/releases/tag/v39.8.5"},{"type":"WEB","url":"https://github.com/electron/electron/releases/tag/v40.8.5"},{"type":"WEB","url":"https://github.com/electron/electron/releases/tag/v41.1.0"},{"type":"WEB","url":"https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5"}],"affected":[{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"39.8.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"40.0.0-alpha.1"},{"fixed":"40.8.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"41.0.0-alpha.1"},{"fixed":"41.1.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"42.0.0-alpha.1"},{"fixed":"42.0.0-alpha.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L"}]}