CVE-2026-54673
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers, most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow), were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination.
This issue has been fixed in version 9.7.0.
- ⚠ NVD has not scored this CVE yet - manual triage required (common for recent CVEs)
ATT&CK techniques
20Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.
CAPEC attack patterns
12Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.