A critical security vulnerability has been identified in ChatGPT for Google Sheets, an AI extension with over 185,000 downloads in less than a month. Researchers from PromptArmor discovered that the tool is susceptible to indirect prompt injection attacks, which can allow malicious actors to exfiltrate sensitive workbooks and execute phishing attacks without requiring human approval, even when users have explicitly enabled safety settings to prevent automatic edits. The attack chain begins when a user imports an untrusted external dataset into a Google Sheet. This data may contain a hidden prompt injection, such as text disguised as white characters. When the user asks the ChatGPT sidebar to process or integrate this data, the injected code manipulates the AI model into running an attacker-controlled external script. This script leverages the permissions granted to the extension to bypass security protocols. Once initiated, the script can exfiltrate the entire financial model or data from the workbook. Crucially, the attack persists even if the user attempts to stop the process by clicking the stop button in the sidebar; scripts already launched continue to execution. Furthermore, the compromised extension can facilitate phishing overlay attacks. The malicious script can open a sidebar or a pop-up modal that overlays the legitimate interface, impersonating the ChatGPT extension to steal credentials or trick users into authorizing further malicious actions. In one demonstrated scenario, the script identified links to other connected spreadsheets within the stolen data, automatically locating and exfiltrating a total of 12 workbooks. The vulnerability was responsibly disclosed to OpenAI on May 8, 2026. However, the researchers received no substantive communication beyond an automated confirmation of receipt. OpenAI's documentation for the extension reportedly fails to warn users about the risks of indirect prompt injection or the extent of privileged script execution capabilities granted to the model. Due to this lack of response and inadequate public guidance on the specific risks, PromptArmor proceeded with public disclosure to ensure organizations are aware of the potential threat surface. OpenAI has not yet issued a patch or a detailed statement on the fix. In the meantime, organizations are advised to review their access controls. Administrators can restrict access to the extension by navigating to Workspace settings, selecting Permissions & roles, and managing the permissions for ChatGPT for Excel and Google Sheets. Users should exercise extreme caution when importing external data into spreadsheets integrated with AI tools until a resolution is confirmed.