CVE-2026-34777: Electron: Incorrect origin passed to permission request handler for iframe requests

April 3, 2026 (updated April 6, 2026)

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page’s origin rather than the requesting iframe’s origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

References

github.com/advisories/GHSA-r5p7-gp4j-qhrx
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx
nvd.nist.gov/vuln/detail/CVE-2026-34777

Code Behaviors & Features

Detect and mitigate CVE-2026-34777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →