CVE-2026-4092
Published: 13 March 2026
Summary
CVE-2026-4092 is a high-severity Path Traversal (CWE-22) vulnerability in Google Clasp. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4092 is a path traversal vulnerability (CWE-22) in Clasp, the command-line interface tool for Google Apps Script, affecting all versions prior to 3.2.0. The flaw resides in the handling of project filenames, allowing directory traversal sequences to be processed when a specially crafted Google Apps Script project is loaded.
A remote attacker can exploit the issue by supplying a malicious project containing crafted filenames. Successful exploitation grants remote code execution on the victim's system, with the attack vector requiring user interaction such as opening or syncing the project but no authentication or special privileges.
The referenced GitHub pull request 1109 implements the fix by updating filename sanitization logic; practitioners should upgrade Clasp to version 3.2.0 or later to eliminate the traversal vectors.
EPSS for the CVE rose from a low baseline to a peak of 0.0132 on 2026-03-19 shortly after disclosure before receding to the current value of 0.0027, indicating a transient increase in exploitation interest after public release. No confirmed in-the-wild exploitation has been reported.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12047
Vulnerability details
Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in Clasp enables remote code execution by exploiting a client-side software vulnerability when handling malicious Google Apps Script projects with crafted filenames.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the path traversal flaw in Clasp versions prior to 3.2.0 to prevent remote code execution.
Mandates validation of information inputs such as filenames to block directory traversal sequences exploited in malicious Google Apps Script projects.
Enables vulnerability scanning to identify the presence of CVE-2026-4092 in deployed Clasp installations for subsequent remediation.