Trimble published a security advisory on 22 May disclosing CVE-2026-9264, a CVSS 9.3 remote code execution vulnerability in SketchUp 2026 affecting the Dynamic Components feature. An attacker who can deliver a maliciously crafted SketchUp file (.skp) to a user — via email attachment, file sharing, or collaboration platform — can achieve arbitrary code execution and access the user’s local file system without any interaction beyond opening the file.
SketchUp is widely used in architecture, construction, engineering, interior design, and gaming industries. Many organisations use SketchUp for technical design workflows that involve sharing model files with external collaborators — contractors, clients, and suppliers — creating a natural phishing vector for crafted .skp files.
Vulnerability Mechanism
SketchUp’s Dynamic Components feature allows component authors to embed interactive elements in .skp files that use HTML, JavaScript, and CSS for their interface. These HTML-based component UIs are rendered by SketchUp using an embedded Internet Explorer 11 (IE11) browser component.
IE11’s security model is significantly weaker than modern browsers. It does not enforce the same cross-origin isolation, content security policies, or sandboxing that protect modern browser-rendered content. Critically, the IE11 embedded renderer in SketchUp runs with access to the file:// URI scheme, which allows JavaScript to read files from the local file system — a capability that modern browsers explicitly block for security reasons.
CVE-2026-9264 exploits this by embedding a Dynamic Component with XSS-triggering JavaScript in a crafted .skp file. When SketchUp opens the file and renders the Dynamic Component interface in the embedded IE11 browser, the malicious JavaScript executes with:
- Local file system access: The ability to read any file accessible to the user’s account, including documents, credentials stored in credential managers, browser profiles, and application data
- Code execution: The ability to execute binaries or scripts via the
ActiveXObjectmechanism available in IE11
The combination of file read and code execution provides a complete initial access capability for a threat actor targeting design and engineering organisations.
Attack Vector
The most plausible attack scenario is a phishing campaign targeting architecture, construction, or engineering firms. A plausible attack email might contain a .skp file labelled as a building design, furniture model, or component library for review. Users who regularly receive SketchUp files from external parties may not scrutinise a crafted .skp file before opening it.
The file can also be distributed through SketchUp’s 3D Warehouse (a model-sharing platform), though Trimble has indicated they are reviewing submissions for malicious content.
Affected Versions and Patch
SketchUp 2026 versions prior to the patched release. Trimble has released a patched version, available through SketchUp’s Help → Check for Updates menu. SketchUp Pro subscribers receive automatic update notifications.
Mitigations
Update SketchUp: Apply the patch available from Trimble. The update closes the specific Dynamic Component rendering vulnerability.
User awareness: Brief users who regularly open SketchUp files from external sources on the risk of crafted .skp files. This is particularly relevant for staff who receive model files from clients, contractors, or through 3D Warehouse downloads.
Disable Dynamic Components if not required: Organisations that use SketchUp for viewing and simple modelling without using the Dynamic Components feature can disable this feature as a compensating control until the patch is applied.
Monitoring: Endpoint detection on workstations used for SketchUp can detect unusual child processes spawned from SketchUp.exe, which would indicate exploitation. IE11 spawning network connections or PowerShell from the SketchUp context is an indicator of active exploitation.
Share this article