Cyber Resilience

CVE-2026-4092

High

Published: 13 March 2026

Published
13 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4092 is a high-severity Path Traversal (CWE-22) vulnerability in Google Clasp. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4092 is a path traversal vulnerability (CWE-22) in Clasp, the command-line interface tool for Google Apps Script, affecting all versions prior to 3.2.0. The flaw resides in the handling of project filenames, allowing directory traversal sequences to be processed when a specially crafted Google Apps Script project is loaded.

A remote attacker can exploit the issue by supplying a malicious project containing crafted filenames. Successful exploitation grants remote code execution on the victim's system, with the attack vector requiring user interaction such as opening or syncing the project but no authentication or special privileges.

The referenced GitHub pull request 1109 implements the fix by updating filename sanitization logic; practitioners should upgrade Clasp to version 3.2.0 or later to eliminate the traversal vectors.

EPSS for the CVE rose from a low baseline to a peak of 0.0132 on 2026-03-19 shortly after disclosure before receding to the current value of 0.0027, indicating a transient increase in exploitation interest after public release. No confirmed in-the-wild exploitation has been reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Path traversal vulnerability in Clasp enables remote code execution by exploiting a client-side software vulnerability when handling malicious Google Apps Script projects with crafted filenames.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6315Same vendor: Google
CVE-2024-43767Same vendor: Google
CVE-2026-8540Same vendor: Google
CVE-2025-0084Same vendor: Google
CVE-2025-0997Same vendor: Google
CVE-2025-0762Same vendor: Google
CVE-2026-3223Same vendor: Google
CVE-2025-48567Same vendor: Google
CVE-2025-1920Same vendor: Google
CVE-2025-12907Same vendor: Google

Affected Assets

google
clasp
≤ 3.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the path traversal flaw in Clasp versions prior to 3.2.0 to prevent remote code execution.

prevent

Mandates validation of information inputs such as filenames to block directory traversal sequences exploited in malicious Google Apps Script projects.

detect

Enables vulnerability scanning to identify the presence of CVE-2026-4092 in deployed Clasp installations for subsequent remediation.

References