Intel

AIKIDO-2026-309397

electron is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

59

Medium Risk

This Affects:

JSelectron
7.0.0 - 40.10.5
Fixed in 40.10.6
41.0.0 - 41.9.0
Fixed in 41.9.1
42.0.0 - 42.5.0
Fixed in 42.5.1
Are you affected? Scan for Free

TL;DR

Electron's ElectronURLLoaderFactory handles custom protocol handlers that return a ProtocolResponse with a url, which triggers an upstream HTTP request. When the response omits ProtocolResponse.session, the upstream request is always issued through the default session instead of the session the protocol handler was registered on. Applications that register handlers on a non-default session therefore have these requests carry the default session's cookies, credentials, cache, and proxy configuration, breaking session isolation and using an unintended authentication context. The fix threads the registering browser context through the URL loader factory so the request defaults to the handler's own session as documented.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application registers a custom protocol handler on a non-default session that returns ProtocolResponse.url responses without setting ProtocolResponse.session.

Background info

electron is vulnerable to Improper Authorization in versions 7.0.0 - 40.10.5, 41.0.0 - 41.9.0 and 42.0.0 - 42.5.0.

How to fix this

Upgrade the electron library to the patch version.