CWE-653
AllowedImproper Isolation or Compartmentalization
Abstraction: Class · Status: Draft
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
101 vulnerabilities reference this CWE, most recent first.
GHSA-XWR5-M59H-VWQR
Vulnerability from github – Published: 2026-04-03 02:43 – Updated: 2026-04-06 23:11Impact
The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.
Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.
Workarounds
Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.
Fixed Versions
41.0.040.8.439.8.438.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "38.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0-alpha.1"
},
{
"fixed": "39.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "40.0.0-alpha.1"
},
{
"fixed": "40.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "41.0.0-alpha.1"
},
{
"fixed": "41.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34775"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T02:43:05Z",
"nvd_published_at": "2026-04-04T00:16:18Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.\n\nApps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.\n\n### Workarounds\nAvoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.4`\n* `39.8.4`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-xwr5-m59h-vwqr",
"modified": "2026-04-06T23:11:00Z",
"published": "2026-04-03T02:43:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes"
}
Mitigation
Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.
No CAPEC attack patterns related to this CWE.