Cyber Posture

CVE-2026-4092

High

Published: 13 March 2026

Published
13 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4092 is a high-severity Path Traversal (CWE-22) vulnerability in Google Clasp. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the path traversal flaw in Clasp versions prior to 3.2.0 to prevent remote code execution.

SI-10 Information Input Validation good match
prevent

Mandates validation of information inputs such as filenames to block directory traversal sequences exploited in malicious Google Apps Script projects.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables vulnerability scanning to identify the presence of CVE-2026-4092 in deployed Clasp installations for subsequent remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Path traversal vulnerability in Clasp enables remote code execution by exploiting a client-side software vulnerability when handling malicious Google Apps Script projects with crafted filenames.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

Deeper analysisAI

CVE-2026-4092 is a path traversal vulnerability (CWE-22) in the Clasp tool, affecting versions prior to 3.2.0. Clasp, maintained by Google for interacting with Google Apps Script projects, fails to properly sanitize filenames containing directory traversal sequences, enabling a remote attacker to achieve remote code execution.

A remote attacker without privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. The scenario involves tricking a user into handling a malicious Google Apps Script project via Clasp, where specially crafted filenames with traversal sequences (such as ../) allow the attacker to write files outside intended directories and execute arbitrary code on the victim's system. Successful exploitation grants high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Mitigation is addressed in the GitHub pull request at https://github.com/google/clasp/pull/1109, which corresponds to the release of Clasp version 3.2.0. Security practitioners should update to version 3.2.0 or later to patch the vulnerability and avoid processing untrusted Google Apps Script projects.

Details

CWE(s)
CWE-22

Affected Products

google
clasp
≤ 3.2.0

CVEs Like This One

CVE-2025-0084Same vendor: Google
CVE-2025-0997Same vendor: Google
CVE-2025-48567Same vendor: Google
CVE-2025-36897Same vendor: Google
CVE-2025-0762Same vendor: Google
CVE-2025-1916Same vendor: Google
CVE-2026-6315Same vendor: Google
CVE-2026-1260Same vendor: Google
CVE-2026-6319Same vendor: Google
CVE-2026-3223Same vendor: Google

References