CVE-2026-34773: Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

April 3, 2026 (updated April 6, 2026)

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

References

github.com/advisories/GHSA-mwmh-mq4g-g6gr
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr
nvd.nist.gov/vuln/detail/CVE-2026-34773

Code Behaviors & Features

Detect and mitigate CVE-2026-34773 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →