The ChatGPT for Google Sheets extension contains a critical vulnerability that allows attackers to exfiltrate data and launch phishing attacks through indirect prompt injection. Disclosed publicly by PromptArmor on May 27, 2026 after OpenAI failed to provide substantive response to a May 8 report, the vulnerability enables a single malicious query to compromise multiple workbooks across a victim's entire Google account.
Attack Exploits Extension's Ability to Execute External Scripts
The vulnerability exploits the ChatGPT for Google Sheets extension's capability to execute external scripts. When users interact with untrusted data sources—such as imported sheets or connectors containing hidden prompt injections—the AI can be manipulated into running attacker-controlled code. This occurs even when users have explicitly disabled automatic edits.
Data at risk includes:
- Multiple workbooks accessible from a victim's Google account
- Financial models and sensitive spreadsheet data
- User credentials via phishing overlays
- User prompts and interactions with the AI
Attack Capabilities Extend Beyond Simple Data Theft
Attackers leveraging this vulnerability can:
- Display phishing pop-ups designed to steal credentials
- Hijack the ChatGPT sidebar with fake interfaces
- Make unauthorized edits to workbooks
- Harvest user prompts and interactions
- Manipulate users into reconnecting third-party connectors
These capabilities transform a productivity tool into a comprehensive attack surface for social engineering and data exfiltration.
OpenAI Response Raises Security Disclosure Concerns
PromptArmor disclosed the vulnerability to OpenAI on May 8, 2026. Despite multiple follow-ups, OpenAI provided only an automated acknowledgment with no substantive response. This lack of engagement prompted the public disclosure on May 27, 2026, raising questions about OpenAI's security disclosure process and responsiveness to third-party vulnerability reports.
The timeline highlights challenges in coordinating security fixes for AI integrations in enterprise environments, where multiple vendors share responsibility for the attack surface.
Organizations Advised to Restrict Extension Access
PromptArmor recommends that organizations restrict access to the extension via Workspace settings under "Permissions & roles > ChatGPT for Excel and Google Sheets." This mitigation prevents the extension from accessing sensitive workbooks while the vulnerability remains unpatched.
Vulnerability Exemplifies Broader LLM Security Challenges
This case demonstrates the real-world exploitation paths for prompt injection attacks in enterprise environments. Integrating large language models with productivity tools that have broad data access creates security risks that remain fundamentally unsolved in current LLM architectures. The vulnerability shows how indirect prompt injection—a known theoretical attack vector—translates into practical threats when AI systems gain access to sensitive enterprise data.
Key Takeaways
- ChatGPT for Google Sheets extension is vulnerable to data exfiltration through indirect prompt injection attacks
- A single malicious query can compromise multiple workbooks across a victim's entire Google account
- PromptArmor disclosed the vulnerability to OpenAI on May 8, 2026, but received only automated responses
- Public disclosure on May 27, 2026 followed OpenAI's failure to provide substantive engagement
- Organizations should restrict extension access via Workspace settings until the vulnerability is patched