CVE-2026-34779: Electron Framework RCE Vulnerability

CVE-2026-34779 Overview

CVE-2026-34779 is a command injection vulnerability [CWE-78] in the Electron framework on macOS. The flaw resides in the app.moveToApplicationsFolder() API, which uses an AppleScript fallback path that fails to sanitize specific characters in the application bundle path. An attacker who controls the launch path of an Electron application can inject arbitrary AppleScript commands. Execution occurs when the user accepts the move-to-Applications prompt. Only applications that explicitly invoke app.moveToApplicationsFolder() are affected. The issue is fixed in Electron 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

Critical Impact
A crafted application bundle path can trigger arbitrary AppleScript execution in the user's context on macOS, enabling local code execution with user interaction.

Affected Products

Electron versions prior to 38.8.6
Electron 39.x prior to 39.8.1 and 40.x prior to 40.8.0
Electron 41.0.0-alpha1 through 41.0.0-beta7

Discovery Timeline

2026-04-04 - CVE-2026-34779 published to NVD
2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-34779

Vulnerability Analysis

The defect is an OS command injection in Electron's macOS-specific helper that relocates the running application into /Applications. When the standard Cocoa relocation path is unavailable, Electron falls back to invoking AppleScript through osascript or an equivalent scripting bridge. The fallback constructs an AppleScript string by embedding the application bundle path without escaping AppleScript meta-characters. An attacker who can influence where the application bundle is launched from — for example, by distributing a renamed or repackaged bundle inside a disk image — can place AppleScript syntax inside that path. When the user clicks the prompt to move the app to /Applications, the injected script runs.

Root Cause

The root cause is improper neutralization of special elements used in an AppleScript command. The fallback path concatenates an attacker-influenceable string (the bundle path) into a script body rather than passing it as a parameter or escaping quote and bracket characters. This is a classic command injection pattern mapped to [CWE-78].

Attack Vector

Exploitation requires local delivery of a crafted Electron application and user interaction with the relocation dialog. The attacker prepares an Electron-based app with a bundle path containing AppleScript injection payloads. The user mounts the package and launches the application from outside /Applications. The application then calls app.moveToApplicationsFolder(), the prompt appears, and acceptance triggers the AppleScript fallback. The injected script executes with the privileges of the current user, enabling file access, persistence, or follow-on payload execution. No verified exploit code is publicly available. See the Electron GitHub Security Advisory GHSA-5rqw-r77c-jp79 for vendor-provided technical details.

Detection Methods for CVE-2026-34779

Indicators of Compromise

Execution of osascript spawned as a child of an Electron application binary shortly after a user-initiated app launch from a disk image or download location.
Unusual AppleScript activity invoking do shell script, tell application "System Events", or writing to user persistence locations such as ~/Library/LaunchAgents.
Electron application bundles with non-standard characters (quotes, backslashes, parentheses) in the bundle path or .app directory name.

Detection Strategies

Inventory installed Electron applications and identify versions below 38.8.6, 39.8.1, or 40.8.0 using software asset management telemetry.
Hunt for process trees where an Electron Helper or main process spawns osascript immediately after launch, correlated with the bundle path containing shell or AppleScript metacharacters.
Inspect quarantine attributes (com.apple.quarantine) on .app bundles delivered from external sources to identify suspicious origins.

Monitoring Recommendations

Forward macOS Endpoint Security ES_EVENT_TYPE_NOTIFY_EXEC events for osascript to a central log store and alert on Electron-parented invocations.
Monitor file integrity in /Applications and user LaunchAgents directories for changes following an Electron app first-run prompt.
Track AppleScript execution that issues do shell script calls with elevated commands or network activity.

How to Mitigate CVE-2026-34779

Immediate Actions Required

Upgrade Electron to 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 and rebuild all affected applications.
Audit application source code for use of app.moveToApplicationsFolder() and prioritize patching those builds.
Re-sign and re-distribute patched application bundles to end users, replacing vulnerable copies already deployed.

Patch Information

The Electron maintainers released fixed versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8. The patches sanitize the bundle path before constructing the AppleScript fallback used by app.moveToApplicationsFolder(). Refer to the Electron GitHub Security Advisory GHSA-5rqw-r77c-jp79 for release notes and patch commit references.

Workarounds

Remove or comment out calls to app.moveToApplicationsFolder() in application code until a patched Electron version is integrated.
Restrict application distribution to signed, notarized bundles installed directly into /Applications, eliminating the relocation prompt path.
Enforce a macOS allowlist via configuration management so that only known-good Electron application bundles can launch from user-writable locations.

bash

# Identify installed Electron application versions on a macOS host
find /Applications -name 'Electron Framework' -path '*Frameworks*' \
  -exec defaults read "{}/Resources/Info.plist" CFBundleShortVersionString \;