{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-03T23:57:36Z",
  "bugzilla" : {
    "description" : "Electron: Electron: Unauthorized permission granting and information disclosure via incorrect iframe origin",
    "id" : "2455022",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455022"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-346",
  "details" : [ "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.", "A flaw was found in Electron, a framework for building desktop applications. When an embedded iframe requests permissions, such as for fullscreen or media access, the framework incorrectly provides the origin of the main page instead of the requesting iframe's origin. This vulnerability allows a remote attacker, through malicious embedded content, to potentially gain unauthorized permissions. This could lead to unintended information disclosure or other unauthorized actions by the third-party content within the application. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected." ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Fix deferred",
    "package_name" : "podman-desktop-macos-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Fix deferred",
    "package_name" : "podman-desktop-windows-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34777\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34777\nhttps://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx" ],
  "name" : "CVE-2026-34777",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}