CVE-2026-55664

Impact

The GET /forms endpoint read table and column metadata without applying the document's access rules, and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly-viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms.

Patches

Fixed since version 1.7.15. Mitigation was to fetch form metadata through the access-rule-aware path and to reject requests for sections that are not forms.

Workarounds

Avoid sharing or publishing documents whose table or column structure is sensitive, or block the /forms endpoint.