Platform
nodejs
Component
@google/clasp
Fixed in
3.2.1
3.2.0
CVE-2026-4092 is a Path Traversal vulnerability discovered in the @google/clasp library, a command-line tool for developing Google Apps Script projects. This vulnerability allows attackers to potentially modify files outside the intended project directory, leading to code execution on the developer's machine. The vulnerability affects versions prior to 3.2.0, and a fix has been released in version 3.2.0.
The primary impact of CVE-2026-4092 is the potential for arbitrary file modification. An attacker exploiting this vulnerability could leverage the pull and clone commands to overwrite files outside the project's designated directory. This could involve replacing legitimate scripts with malicious ones, injecting harmful code into configuration files, or even modifying system files, depending on the developer's permissions and the system's security posture. Successful exploitation could lead to remote code execution (RCE) on the developer's machine, granting the attacker control over the environment and potentially access to sensitive data.
CVE-2026-4092 was publicly disclosed on 2026-03-13. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of near-term exploitation.
Exploit Status
EPSS
1.03% (77% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-4092 is to immediately upgrade to @google/clasp version 3.2.0 or later. If upgrading is not immediately feasible, a temporary workaround involves carefully reviewing the output of the pull and clone commands. Developers should meticulously examine the files being modified to ensure they are only expected project files and do not contain any unexpected or suspicious content. Only clone or pull scripts from trusted sources to minimize the risk of malicious code injection. Consider implementing stricter access controls and code review processes to further reduce the attack surface.
Update Clasp to version 3.2.0 or higher. This version corrects the path traversal vulnerability that allows remote code execution. You can update Clasp using the npm package manager with the command `npm install -g @google/clasp`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4092 is a Path Traversal vulnerability in @google/clasp versions before 3.2.0, allowing attackers to modify files outside the project directory.
You are affected if you are using @google/clasp versions prior to 3.2.0 and clone or pull scripts from untrusted sources.
Upgrade to @google/clasp version 3.2.0 or later. As a temporary workaround, carefully review files modified by pull and clone commands.
There is currently no indication of active exploitation in the wild or public proof-of-concept code.
Refer to the @google/clasp release notes and security advisories on the Google Developers website for details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.