๐Ÿ” CVE Alert

CVE-2026-54673

UNKNOWN 0.0

electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers โ€” most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) โ€” were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.

CWE CWE-200
Vendor electron-userland
Product electron-builder
Published Jun 30, 2026
Last Updated Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for electron-userland electron-builder

Be the first to know when new unknown vulnerabilities affecting electron-userland electron-builder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

electron-userland / electron-builder
< 26.15.0
electron-userland / builder-util-runtime
< 9.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/electron-userland/electron-builder/security/advisories/GHSA-p2f4-r6v6-j797 github.com: https://github.com/electron-userland/electron-builder/commit/22a7532bd01b9fb42cff7c58d599c7ad683569fe