Bug 2455022 (CVE-2026-34777)
| Summary: | CVE-2026-34777 Electron: Electron: Unauthorized permission granting and information disclosure via incorrect iframe origin | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Electron, a framework for building desktop applications. When an embedded iframe requests permissions, such as for fullscreen or media access, the framework incorrectly provides the origin of the main page instead of the requesting iframe's origin. This vulnerability allows a remote attacker, through malicious embedded content, to potentially gain unauthorized permissions. This could lead to unintended information disclosure or other unauthorized actions by the third-party content within the application. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2455444, 2455445 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-04 01:01:24 UTC
|