CVE-2026-4092

High

Published: 13 March 2026

Published

13 March 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the path traversal flaw in Clasp versions prior to 3.2.0 to prevent remote code execution.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs such as filenames to block directory traversal sequences exploited in malicious Google Apps Script projects.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2026-4092 in deployed Clasp installations for subsequent remediation.

Security SummaryAI

CVE-2026-4092 is a path traversal vulnerability (CWE-22) in the Clasp tool, affecting versions prior to 3.2.0. Clasp, maintained by Google for interacting with Google Apps Script projects, fails to properly sanitize filenames containing directory traversal sequences, enabling a remote attacker to achieve remote code execution.

A remote attacker without privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. The scenario involves tricking a user into handling a malicious Google Apps Script project via Clasp, where specially crafted filenames with traversal sequences (such as ../) allow the attacker to write files outside intended directories and execute arbitrary code on the victim's system. Successful exploitation grants high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Mitigation is addressed in the GitHub pull request at https://github.com/google/clasp/pull/1109, which corresponds to the release of Clasp version 3.2.0. Security practitioners should update to version 3.2.0 or later to patch the vulnerability and avoid processing untrusted Google Apps Script projects.

Details

CWE(s): CWE-22

Affected Products

google

clasp

≤ 3.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in Clasp enables remote code execution by exploiting a client-side software vulnerability when handling malicious Google Apps Script projects with crafted filenames.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/google/clasp/pull/1109
Issue Tracking, Patch · cve-coordination@google.com