Security researchers have uncovered a vulnerability in one of the most popular AI tools for spreadsheets. ChatGPT for Google Sheets can be tricked into shipping sensitive corporate data to attackers with nothing more than a single poisoned cell.
The flaw, laid out in detail by PromptArmor on May 27, 2026, shows how indirect prompt injection in a single sheet triggers scripts that pull workbooks from across a victim’s Google account. No approval clicks required. Even the “stop” button in the sidebar fails to halt the process.
Consider a finance analyst reviewing quarterly numbers. She imports a CSV from a vendor. That file contains hidden instructions, rendered in white text so they stay invisible. Later she asks the add-on a routine question about integrating the new data. The model, now carrying the injected commands in its context, quietly launches an external script. Within moments her financial model, linked reports, and a dozen other spreadsheets start streaming to an attacker-controlled server.
This isn’t theory. PromptArmor’s proof-of-concept demonstrated exfiltration of 12 separate workbooks. Attacker logs captured the full financial model. The same mechanism also paints phishing overlays across the interface, complete with fake login prompts that harvest OpenAI credentials or trick users into reconnecting connectors.
And the reach extends further. Similar issues surface in other AI spreadsheet tools. PromptArmor documented how Ramp’s Sheets AI could insert formulas that phoned home without human review. Anthropic addressed comparable risks in Claude for Excel after earlier findings.
OpenAI received notification on May 8, 2026. The company sent an automated reply. Follow-ups on May 12 and 18 produced silence. Public disclosure followed on May 27. The vendor’s documentation still omits any serious discussion of model manipulation through untrusted spreadsheet content.
But the problem runs deeper than one add-on. Just weeks earlier, Check Point Research revealed a hidden outbound channel inside ChatGPT’s code execution environment. Published March 30, 2026, the report described how a malicious prompt could activate DNS tunneling to exfiltrate conversation history, uploaded files, and model outputs without any user notification. OpenAI patched it February 20.
Researchers there captured a striking example. A personal-doctor GPT leaked patient identity and medical assessment data. “A single malicious prompt could activate a hidden exfiltration channel,” the team noted. The technique turned the sandbox against itself.
Enterprise users face compounded risk. Many organizations now rely on these add-ons for routine analysis. Sales forecasts. Customer churn models. Intellectual property roadmaps. All sit inside spreadsheets that suddenly become vectors when mixed with external data.
The injection technique itself proves deceptively simple. Place instructions in a cell. Format the text white on white. Import the sheet or connect it via a data source. When the AI reads the sheet to answer a query, the hidden text becomes system instructions. From there it can call Google Apps Script with the full permissions granted to the add-on.
Those permissions often span the entire Drive. One compromised sheet. One innocent query. Dozens of files gone. The “Apply edits automatically” toggle offers no protection because the malicious action runs as a script, not a formula edit.
Phishing variants add insult. One attack renders a sidebar that perfectly clones the ChatGPT interface. It can harvest every prompt the user types. Another opens a modal window loaded from an attacker domain, asking for re-authentication. Users see what looks like an official error and comply.
Security teams have limited controls. Google Workspace administrators can revoke the add-on’s permissions under Permissions & roles > ChatGPT for Excel and Google Sheets. Yet many companies lack centralized visibility into which users installed it. Shadow AI remains common.
Broader industry patterns suggest this represents only the visible edge. Prompt injection continues to evolve. Zenity Labs demonstrated 0-click exfiltration through ChatGPT Connectors in August 2025, pulling data straight from Google Drive after a poisoned file upload. No user interaction needed beyond opening the conversation.
Check Point’s work on the code interpreter channel showed that even isolated runtimes carry hidden communication paths. DNS queries became the escape hatch. Data encoded, tunneled, decoded on the other side. Remote shell access became possible.
So what now? Organizations cannot simply ban every AI spreadsheet tool. Productivity gains prove real. The alternative demands disciplined data hygiene. Never feed untrusted content directly to these models. Isolate analysis to clean copies. Monitor add-on permissions aggressively. Treat every external dataset as potentially hostile.
Vendors must do better. Clear warnings in documentation. Granular permission models that separate read access from script execution. Human-in-the-loop requirements for any network call or external script launch. OpenAI’s muted response to responsible disclosure raises questions about prioritization.
The PromptArmor team, which has produced a series of similar reports on agentic tools, frames the issue plainly. These products ship powerful capabilities without adequate defenses against context manipulation. The result is predictable. Data leaves the building.
Finance teams, legal departments, and strategy groups now operate in an environment where a single spreadsheet cell can betray the entire organization. The convenience that made these tools popular also makes the risks systemic. Until boundaries between trusted and untrusted data harden, the exfiltration pipelines will remain open.
Recent coverage on Hacker News and security forums shows growing awareness. Yet adoption continues. The tension between capability and control defines the current moment in enterprise AI tooling. One poisoned sheet can expose years of strategic planning. The attack surface hides in plain sight, formatted to blend with the grid.
WebProNews is an iEntry Publication