CVE-2026-34767: Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

April 3, 2026 (updated April 6, 2026)

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

References

github.com/advisories/GHSA-4p4r-m79c-wq3v
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
nvd.nist.gov/vuln/detail/CVE-2026-34767

Code Behaviors & Features

Detect and mitigate CVE-2026-34767 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →