diff --git a/.azure-pipelines-k8s-matrix.yml b/.azure-pipelines-k8s-matrix.yml
index 77129460a3..7b61c9e8c6 100644
--- a/.azure-pipelines-k8s-matrix.yml
+++ b/.azure-pipelines-k8s-matrix.yml
@@ -15,7 +15,7 @@ trigger: none
 jobs:
   - job: Linux
     pool:
-      vmImage: ubuntu-16.04
+      vmImage: ubuntu-18.04
     strategy:
       matrix:
         kube_1.16:
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 3e1b43f875..a11fa412a0 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -41,6 +41,9 @@ jobs:
       - bash: |
           set -e
           git clone "https://${GH_TOKEN}@github.com/lensapp/lens-ide.git" .lens-ide-overlay
+          cd .lens-ide-overlay
+          git checkout -b v5.2 0d3d9140a0f151c3ca6d7651c092f8ba44091794
+          cd ..
           rm -rf .lens-ide-overlay/.git
           cp -r .lens-ide-overlay/* ./
           jq -s '.[0] * .[1]' package.json package.ide.json > package.custom.json && mv package.custom.json package.json
@@ -87,6 +90,9 @@ jobs:
       - bash: |
           set -e
           git clone "https://${GH_TOKEN}@github.com/lensapp/lens-ide.git" .lens-ide-overlay
+          cd .lens-ide-overlay
+          git checkout -b v5.2 0d3d9140a0f151c3ca6d7651c092f8ba44091794
+          cd ..
           rm -rf .lens-ide-overlay/.git
           cp -r .lens-ide-overlay/* ./
           jq -s '.[0] * .[1]' package.json package.ide.json > package.custom.json && mv package.custom.json package.json
@@ -109,7 +115,7 @@ jobs:
 
   - job: Linux
     pool:
-      vmImage: ubuntu-16.04
+      vmImage: ubuntu-18.04
     strategy:
       matrix:
         node_14.x:
@@ -135,6 +141,9 @@ jobs:
       - bash: |
           set -e
           git clone "https://${GH_TOKEN}@github.com/lensapp/lens-ide.git" .lens-ide-overlay
+          cd .lens-ide-overlay
+          git checkout -b v5.2 0d3d9140a0f151c3ca6d7651c092f8ba44091794
+          cd ..
           rm -rf .lens-ide-overlay/.git
           cp -r .lens-ide-overlay/* ./
           jq -s '.[0] * .[1]' package.json package.ide.json > package.custom.json && mv package.custom.json package.json
diff --git a/.yarnrc b/.yarnrc
index 0ffbd73e54..3666616e0b 100644
--- a/.yarnrc
+++ b/.yarnrc
@@ -1,3 +1,3 @@
 disturl "https://atom.io/download/electron"
-target "12.2.1"
+target "13.4.0"
 runtime "electron"
diff --git a/package.json b/package.json
index 5dba768a49..525d5c2087 100644
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
   "productName": "OpenLens",
   "description": "OpenLens - Open Source IDE for Kubernetes",
   "homepage": "https://github.com/lensapp/lens",
-  "version": "5.2.5",
+  "version": "5.2.6-beta.0",
   "main": "static/build/main.js",
   "copyright": "© 2021 OpenLens Authors",
   "license": "MIT",
@@ -326,7 +326,7 @@
     "css-loader": "^5.2.6",
     "deepdash": "^5.3.5",
     "dompurify": "^2.3.1",
-    "electron": "^12.2.1",
+    "electron": "^13.4.0",
     "electron-builder": "^22.10.5",
     "electron-notarize": "^0.3.0",
     "esbuild": "^0.12.24",
diff --git a/src/main/context-handler.ts b/src/main/context-handler.ts
index b6e14df4e5..ce1273646b 100644
--- a/src/main/context-handler.ts
+++ b/src/main/context-handler.ts
@@ -114,7 +114,7 @@ export class ContextHandler {
     await this.ensureServer();
     const path = this.clusterUrl.path !== "/" ? this.clusterUrl.path : "";
 
-    return `http://127.0.0.1:${this.kubeAuthProxy.port}${path}`;
+    return `http://127.0.0.1:${this.kubeAuthProxy.port}${this.kubeAuthProxy.apiPrefix}${path}`;
   }
 
   async getApiTarget(isLongRunningRequest = false): Promise<httpProxy.ServerOptions> {
diff --git a/src/main/kube-auth-proxy.ts b/src/main/kube-auth-proxy.ts
index ac3bdf8dd1..4362f4f314 100644
--- a/src/main/kube-auth-proxy.ts
+++ b/src/main/kube-auth-proxy.ts
@@ -21,6 +21,7 @@
 
 import { ChildProcess, spawn } from "child_process";
 import { waitUntilUsed } from "tcp-port-used";
+import { randomBytes } from "crypto";
 import { broadcastMessage } from "../common/ipc";
 import type { Cluster } from "./cluster";
 import { Kubectl } from "./kubectl";
@@ -38,6 +39,7 @@ const startingServeRegex = /^starting to serve on (?<address>.+)/i;
 
 export class KubeAuthProxy {
   public lastError: string;
+  public readonly apiPrefix: string;
 
   public get port(): number {
     return this._port;
@@ -56,6 +58,7 @@ export class KubeAuthProxy {
     this.env = env;
     this.cluster = cluster;
     this.kubectl = Kubectl.bundled();
+    this.apiPrefix = `/${randomBytes(8).toString("hex")}`;
   }
 
   get acceptHosts() {
@@ -78,7 +81,8 @@ export class KubeAuthProxy {
       "--kubeconfig", `${this.cluster.kubeConfigPath}`,
       "--context", `${this.cluster.contextName}`,
       "--accept-hosts", this.acceptHosts,
-      "--reject-paths", "^[^/]"
+      "--reject-paths", "^[^/]",
+      "--api-prefix", this.apiPrefix
     ];
 
     if (process.env.DEBUG_PROXY === "true") {
@@ -112,7 +116,7 @@ export class KubeAuthProxy {
     });
 
     await waitUntilUsed(this.port, 500, 10000);
-  
+
     this.ready = true;
   }
 
diff --git a/src/main/lens-proxy.ts b/src/main/lens-proxy.ts
index 47f4c4756f..7ce2ec29df 100644
--- a/src/main/lens-proxy.ts
+++ b/src/main/lens-proxy.ts
@@ -200,10 +200,6 @@ export class LensProxy extends Singleton {
       const proxyTarget = await this.getProxyTarget(req, cluster.contextHandler);
 
       if (proxyTarget) {
-        // allow to fetch apis in "clusterId.localhost:port" from "localhost:port"
-        // this should be safe because we have already validated cluster uuid
-        res.setHeader("Access-Control-Allow-Origin", "*");
-
         return this.proxy.web(req, res, proxyTarget);
       }
     }
diff --git a/src/main/window-manager.ts b/src/main/window-manager.ts
index 80e3224fd4..f751d79790 100644
--- a/src/main/window-manager.ts
+++ b/src/main/window-manager.ts
@@ -109,10 +109,6 @@ export class WindowManager extends Singleton {
           app.dock?.hide(); // hide icon in dock (mac-os)
         })
         .webContents
-        .on("new-window", (event, url) => {
-          event.preventDefault();
-          shell.openExternal(url);
-        })
         .on("dom-ready", () => {
           appEventBus.emit({ name: "app", action: "dom-ready" });
         })
@@ -150,6 +146,10 @@ export class WindowManager extends Singleton {
 
           // Always disable Node.js integration for all webviews
           webPreferences.nodeIntegration = false;
+        }).setWindowOpenHandler((details) => {
+          shell.openExternal(details.url);
+
+          return { action: "deny" };
         });
     }
 
diff --git a/yarn.lock b/yarn.lock
index 081fc44d94..a0f22f0e98 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5269,10 +5269,10 @@ electron@*:
     "@types/node" "^12.0.12"
     extract-zip "^1.0.3"
 
-electron@^12.2.1:
-  version "12.2.1"
-  resolved "https://registry.yarnpkg.com/electron/-/electron-12.2.1.tgz#ef138fde11efd01743934c3e0df717cc53ee362b"
-  integrity sha512-Gp+rO81qoaRDP7PTVtBOvnSgDgGlwUuAEWXxi621uOJMIlYFas9ChXe8pjdL0R0vyUpiHVzp6Vrjx41VZqEpsw==
+electron@^13.4.0:
+  version "13.4.0"
+  resolved "https://registry.yarnpkg.com/electron/-/electron-13.4.0.tgz#f9f9e518d8c6bf23bfa8b69580447eea3ca0f880"
+  integrity sha512-KJGWS2qa0xZXIMPMDUNkRVO8/JxRd4+M0ejYYOzu2LIQ5ijecPzNuNR9nvDkml9XyyRBzu975FkhJcwD17ietQ==
   dependencies:
     "@electron/get" "^1.0.1"
     "@types/node" "^14.6.2"