CVE-2026-34766: Electron: USB device selection not validated against filtered device list

April 3, 2026 (updated April 6, 2026)

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer’s requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

References

github.com/advisories/GHSA-9899-m83m-qhpj
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj
nvd.nist.gov/vuln/detail/CVE-2026-34766

Code Behaviors & Features

Detect and mitigate CVE-2026-34766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →