CVE-2026-34769: Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

April 3, 2026 (updated April 6, 2026)

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

References

github.com/advisories/GHSA-9wfr-w7mm-pc7f
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-9wfr-w7mm-pc7f
nvd.nist.gov/vuln/detail/CVE-2026-34769

Code Behaviors & Features

Detect and mitigate CVE-2026-34769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →