CVE-2026-34768: Electron: Unquoted executable path in app.setLoginItemSettings on Windows

April 3, 2026 (updated April 6, 2026)

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

References

github.com/advisories/GHSA-jfqx-fxh3-c62j
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j
nvd.nist.gov/vuln/detail/CVE-2026-34768

Code Behaviors & Features

Detect and mitigate CVE-2026-34768 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →