๐Ÿ” CVE Alert

CVE-2026-55664

MEDIUM 4.3

Grist: Insufficient access control in the /forms endpoint exposes table metadata

CVSS Score
4.3
EPSS Score
0.2%
EPSS Percentile
15th

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.

CWE CWE-200 CWE-285
Vendor gristlabs
Product grist-core
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for gristlabs grist-core

Be the first to know when new medium vulnerabilities affecting gristlabs grist-core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

gristlabs / grist-core
< 1.7.15

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9 github.com: https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db github.com: https://github.com/gristlabs/grist-core/releases/tag/v1.7.15