CVE-2026-55664 in grist-coreinfo

Summary

by MITRE • 07/10/2026

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical information disclosure flaw in Grist spreadsheet software that undermines the application's access control mechanisms. This weakness specifically affects the GET /forms endpoint which is responsible for handling form-related requests within the document management system. The vulnerability manifests when the application fails to properly enforce document access rules during metadata retrieval operations, allowing unauthorized users to bypass normal security boundaries.

The technical implementation flaw stems from inadequate input validation and access control enforcement within the application's routing logic. When processing requests to the /forms endpoint, Grist does not properly verify whether the requested section corresponds to an actual form or simply retrieves arbitrary widget metadata. This oversight creates a pathway for attackers to enumerate table structures and column definitions that should remain hidden based on the document's access configuration. The vulnerability is particularly concerning because it operates independently of whether forms actually exist within the document, meaning any publicly accessible document can be subjected to this metadata enumeration attack.

From an operational perspective, this vulnerability exposes significant risks to data confidentiality and system integrity. Users with minimal read access, including those with public viewing privileges, can discover sensitive information about the underlying database structure and data organization within documents. This metadata exposure enables attackers to better understand the document's architecture and potentially identify additional attack vectors or targets within the system. The impact extends beyond simple information disclosure as it provides reconnaissance capabilities that could lead to more sophisticated attacks targeting other system components.

The vulnerability aligns with CWE-200 (Information Exposure) and CWE-693 (Protection Mechanism Failure) categories, representing a fundamental breakdown in the application's security controls. From an adversary perspective, this weakness maps to ATT&CK technique T1213.002 (Data from Information Repositories) and T1566.001 (Phishing via Service Provider) as it enables attackers to gather intelligence about document structures that could inform subsequent social engineering or exploitation attempts. The issue is particularly dangerous in multi-tenant environments where documents contain sensitive business or personal information, as it allows unauthorized enumeration of data assets across different user accounts.

Security mitigations for this vulnerability should focus on implementing proper access control enforcement at the endpoint level, ensuring that all metadata requests are validated against document access rules and section type verification. The fix implemented in version 1.7.15 addresses the core issue by enforcing document access controls during metadata retrieval operations and by validating that requested sections are actually forms before processing metadata requests. Additional protective measures include implementing rate limiting on metadata queries, logging suspicious access patterns, and ensuring comprehensive testing of access control logic during security reviews of similar applications. Organizations should also consider implementing network-level monitoring to detect unusual metadata enumeration patterns that might indicate exploitation attempts against this vulnerability.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!