PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55664 gristlabs CVE debrief

CVE-2026-55664 is a vulnerability in Grist spreadsheet software that allows users with partial read access to request metadata of any widget, potentially revealing table and column structure that access rules would otherwise hide. The issue is fixed in version 1.7.15. This vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. Users with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide.

Vendor
gristlabs
Product
grist-core
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Grist spreadsheet software, especially those with partial read access, should be aware of this vulnerability and take steps to protect themselves by updating to version 1.7.15. Affected operators, platform administrators, vulnerability management teams, and security teams should review and adjust access rules for documents and widgets, and monitor for suspicious activity on Grist instances.

Technical summary

The GET /forms endpoint in Grist spreadsheet software reads table and column metadata without applying the document's access rules and does not check that the requested section was actually a form. This allows users with only partial read access, including public access on a publicly viewable document, to request the metadata of any widget and reveal table and column structure that access rules would otherwise hide. The issue is fixed in version 1.7.15.

Defensive priority

Medium

Recommended defensive actions

  • Update Grist spreadsheet software to version 1.7.15 or later
  • Review and adjust access rules for documents and widgets
  • Monitor for suspicious activity on Grist instances
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-10T21:16:56.723Z and has not been modified since then. The NVD entry is currently 4.3 MEDIUM. The Grist spreadsheet software vulnerability allows users with partial read access to request metadata of any widget, potentially revealing table and column structure that access rules would otherwise hide. The issue is fixed in version 1.7.15. Evidence limits suggest verifying affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:56.723Z and has not been modified since then.