CVE-2026-34768 Overview
CVE-2026-34768 is an unquoted search path vulnerability in Electron, a widely-used framework for building cross-platform desktop applications using JavaScript, HTML, and CSS. The vulnerability exists in how Electron's app.setLoginItemSettings({openAtLogin: true}) function writes the executable path to the Windows Run registry key without proper quoting.
When an Electron application is installed to a directory path containing spaces, an attacker with write access to an ancestor directory can exploit this flaw to execute arbitrary code at system login instead of the intended application. This represents a significant local privilege escalation vector on affected Windows systems.
Critical Impact
Attackers with local write access to directories in the application's installation path can achieve persistent arbitrary code execution at user login, potentially leading to complete system compromise.
Affected Products
- Electron versions prior to 38.8.6
- Electron versions prior to 39.8.1
- Electron versions prior to 40.8.0
- Electron version 41.0.0 alpha and beta releases prior to 41.0.0-beta.8
Discovery Timeline
- 2026-04-04 - CVE-2026-34768 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34768
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a well-known class of Windows-specific security issues. When an application writes an unquoted path containing spaces to the Windows registry (particularly startup locations like the Run key), Windows interprets the path ambiguously.
For example, if an Electron application is installed at C:\Program Files\My App\app.exe, the unquoted registry entry allows Windows to attempt execution of C:\Program.exe, C:\Program Files\My.exe, or C:\Program Files\My App\app.exe in sequence until one succeeds.
An attacker who can write to C:\Program.exe or create C:\Program Files\My.exe before the legitimate application is found can achieve code execution in the context of the user logging in. While standard Windows installations protect system directories like C:\Program Files, non-standard installation locations (such as user-writable directories) significantly increase the exploitability of this vulnerability.
Root Cause
The root cause lies in the app.setLoginItemSettings() API implementation on Windows. When applications call this function with {openAtLogin: true}, Electron writes the application's executable path directly to the Windows registry Run key without enclosing it in quotation marks. This omission violates Windows security best practices for path handling in registry entries and allows the operating system's path parsing behavior to be exploited.
Attack Vector
Exploitation requires local access and the ability to write to a directory that is a parent of the application's installation path. The attack flow proceeds as follows:
- Identify an Electron application using app.setLoginItemSettings({openAtLogin: true}) installed to a path with spaces
- Locate a writable ancestor directory in the path hierarchy
- Plant a malicious executable with a name matching a potential path truncation point (e.g., Program.exe or My.exe)
- Wait for the target user to log in, triggering execution of the malicious executable instead of the legitimate application
This vulnerability has a local attack vector, requiring the attacker to either have existing access to the target system or leverage another vulnerability for initial access. On default Windows installations where applications are installed to protected system directories, exploitation typically requires non-standard installation configurations.
Detection Methods for CVE-2026-34768
Indicators of Compromise
- Unexpected executables appearing in root directories or parent directories of Electron application installations (e.g., C:\Program.exe)
- Registry Run key entries containing unquoted paths with spaces pointing to Electron applications
- Unusual process execution chains at user login where unexpected executables launch before legitimate applications
- File creation events in system or application directories by non-administrative users
Detection Strategies
- Monitor the Windows registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run) for unquoted paths containing spaces
- Implement file integrity monitoring on directories that are common truncation points in installation paths
- Deploy endpoint detection rules to alert on executable files created in unexpected locations such as drive roots or C:\Program Files\ with unusual names
- Use SentinelOne's behavioral AI to detect anomalous process execution patterns at user login
Monitoring Recommendations
- Enable Windows Security Event logging for registry modifications (Event ID 4657) on Run keys
- Configure alerts for new executable file creation in system root directories and common installation parent paths
- Audit Electron applications in your environment for versions affected by this vulnerability
- Review startup entries periodically for paths that lack proper quoting
How to Mitigate CVE-2026-34768
Immediate Actions Required
- Inventory all Electron-based applications in your environment and identify their installed versions
- Prioritize upgrading Electron applications to patched versions: 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 and later
- Review installation locations of Electron applications and ensure they reside in properly protected directories
- Audit Run registry keys for unquoted paths and manually correct entries where immediate patching is not possible
Patch Information
Electron has released security patches addressing this vulnerability in the following versions:
| Branch | Patched Version |
|---|---|
| 38.x | 38.8.6 |
| 39.x | 39.8.1 |
| 40.x | 40.8.0 |
| 41.x | 41.0.0-beta.8 |
Application developers using Electron should update their framework dependency to one of these patched versions and release updated builds of their applications. End users should apply application updates as they become available. For detailed patch information, refer to the Electron Security Advisory.
Workarounds
- Install Electron applications only to protected system directories (e.g., C:\Program Files\) where standard users cannot write
- Manually edit registry Run key entries to add quotation marks around paths containing spaces
- Restrict write permissions on directories that are ancestors of application installation paths
- Consider disabling automatic login startup for affected applications until patches can be applied
# PowerShell: Audit unquoted paths in Run registry keys
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
ForEach-Object { $_.PSObject.Properties } |
Where-Object { $_.Value -match '^\s*[^"].*\s+.*\.exe' } |
Select-Object Name, Value
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
