CVE-2026-55664

ADVISORY - docker

Summary

Impact

The GET /forms endpoint read table and column metadata without applying the document's access rules, and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly-viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms.

Patches

Fixed since version 1.7.15. Mitigation was to fetch form metadata through the access-rule-aware path and to reject requests for sections that are not forms.

Workarounds

Avoid sharing or publishing documents whose table or column structure is sensitive, or block the /forms endpoint.

Common Weakness Enumeration (CWE)

Impacted images

Advisories

Docker

CREATED

5 days ago

UPDATED

5 days ago

ADVISORY ID

CVE-2026-55664

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Package	Type	OS Name	OS Version	Affected Ranges	Fix Versions
grist	dhi	-	-	<1.7.15	1.7.15

Severity and metrics

No CVSS data available from this advisory.