CVE-2026-55664
MEDIUMGrist: Insufficient access control in the /forms endpoint exposes table metadata
Title source: cnaDescription
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9
X_Refsource_Misc x_refsource_misc
https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db
X_Refsource_Misc x_refsource_misc
https://github.com/gristlabs/grist-core/releases/tag/v1.7.15
Scores
CVSS v3
4.3
EPSS
0.0024
EPSS Percentile
15.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
CWE-285
Status
published
Products (1)
gristlabs/grist-core
< 1.7.15
Published
Jul 10, 2026
Tracked Since
Jul 11, 2026