{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34766", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.554Z", "datePublished": "2026-04-03T23:35:10.204Z", "dateUpdated": "2026-04-06T19:07:15.349Z"}, "containers": {"cna": {"title": "Electron: USB device selection not validated against filtered device list", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 38.8.6", "status": "affected"}, {"version": ">= 39.0.0-alpha.1, < 39.8.0", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.7.0", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:35:10.204Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "source": {"advisory": "GHSA-9899-m83m-qhpj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:07:01.376095Z", "id": "CVE-2026-34766", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:15.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:07:01.376095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:07:11.210Z"}}], "cna": {"title": "Electron: USB device selection not validated against filtered device list", "source": {"advisory": "GHSA-9899-m83m-qhpj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 38.8.6"}, {"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.0"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.7.0"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj", "name": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:35:10.204Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34766", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:07:15.349Z", "dateReserved": "2026-03-30T19:54:55.554Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T23:35:10.204Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9CE003A2-03CC-4355-AA17-2CBD204EC6C3", "versionEndExcluding": "38.8.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "642CA6B2-000A-480D-B062-80593D150787", "versionEndExcluding": "39.8.0", "versionStartIncluding": "39.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E54036E0-1D1F-4265-A2F3-B9C1F88F65ED", "versionEndExcluding": "40.7.0", "versionStartIncluding": "40.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "A20225D6-F435-4D09-962D-B162F521B6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "33712802-EB60-4E9A-83B8-9F2320B70CB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "9D0A9142-54FE-47BB-9FEB-5E97528E28FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "9E1D191F-DEAE-4DB3-9822-F31AF9FE3BAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "45A8192F-3D2C-4987-9BBE-7ECC3F71965D", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "EEA1A2E5-03DB-46CB-8427-7F31A8A7CE1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*", "matchCriteriaId": "B2DFCE75-BD3F-4537-B5B8-14097E262EA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*", "matchCriteriaId": "BC346E25-EA43-4615-8CDB-16D15D46E4FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*", "matchCriteriaId": "FA5B3C00-CAFC-4995-BF35-9920F3039E77", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*", "matchCriteriaId": "3672F3FB-6B5E-40FD-8A92-CB4DD6BC6A93", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*", "matchCriteriaId": "9EE4F8AE-21D2-4815-85B7-B7ECCC0D5059", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*", "matchCriteriaId": "D195760C-7DD9-4259-9042-EDE65AEAC1D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*", "matchCriteriaId": "B370859F-24D3-4B25-B580-1A5B6DB94BFE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "id": "CVE-2026-34766", "lastModified": "2026-04-09T16:23:12.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-04T00:16:17.140", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Electron: Electron: Unauthorized USB device access via select-usb-device event callback validation bypass", "id": "2454998", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454998"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1289", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.", "A flaw was found in Electron. An attacker could influence an application's handler for the `select-usb-device` event to select a USB device ID outside of the filtered list. This could grant access to a USB device that was not intended by the application's security filters, potentially leading to unintended device interactions. The practical impact is limited to applications with unusual device-selection logic."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34766", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-03T23:35:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34766\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34766\nhttps://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,38.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[39.0.0-alpha.1,39.8.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[40.0.0-alpha.1,40.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[41.0.0-alpha.1,41.0.0-beta.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "electron", "source": "cna", "vendor": "electron"}, "product": "electron", "vendor": "electron"}], "analysis": {"en": {"generated_at": "2026-04-09T17:54:48.413161+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of Electron (38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 or newer).", "If upgrading is not possible, audit the app\u2019s USB device selection logic to ensure only devices from the filtered list are chosen.", "Apply OS\u2011level USB access controls or sandboxing to restrict available peripherals."], "summary": {"action": "Patch", "impact": "Unauthorized USB device access"}, "threat_synthesis": {"affected_systems": "All Electron releases prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8 are affected, covering versions 38.8.x before 38.8.6, 39.8.x before 39.8.0, 40.7.x before 40.7.0, and every beta before 41.0.0-beta.8; the vulnerability is confined to the Electron framework and does not impact earlier operating systems.", "description_and_impact": "Electron\u2019s select-usb-device event callback failed to verify that the selected device ID matched the list of devices presented to the handler, allowing an application to access any USB device that passed the WebUSB blocklist but was not included in the filtered set; this flaw gives the app unauthorized access to USB peripherals but does not enable code execution or broader system compromise.", "risk_and_exploitability": "The CVSS score of 3.3 indicates low severity, and with an EPSS below one percent the likelihood of exploitation is very low; it is not listed in the CISA KEV catalog, and because the flaw requires manipulation of the application\u2019s own USB selection logic it is not remotely exploitable from outside the app, limiting the risk to software that improperly handles device selection."}}}}, "created": "2026-04-06T21:21:43.484868+00:00", "updated": "2026-04-10T09:45:29.108985+00:00", "vendors": ["electron", "electron$PRODUCT$electron"]}