Hiding malicious instructions inside a spreadsheet cell is all it takes to manipulate Ramp's AI into sending your financial data to an attacker - at least according to a proof-of-concept demonstration from security researchers at PromptArmor.
PromptArmor published their findings on April 29, 2026, showing that Ramp's Sheets AI feature is vulnerable to a prompt injection attack. Prompt injection is an attack where instructions hidden inside content that an AI reads are treated as commands, causing it to do something the user never intended. In this case: quietly copy and transmit financial data to a location controlled by the attacker.
How the Attack Path Works
Ramp is a corporate spend management platform - companies use it to manage expenses, corporate cards, and financial reporting. Sheets AI is a feature that applies AI analysis to spreadsheet data. PromptArmor's demonstration showed that an attacker who can get crafted content into a spreadsheet that Sheets AI processes can cause the AI to exfiltrate (quietly transmit) the financial data in that sheet.
The realistic attack path in a company: a vendor or external party sends a document with hidden instructions embedded. A finance team member uploads it to Sheets AI for analysis. The AI follows the attacker's embedded instructions rather than the user's, and data leaves the company silently. No Ramp account needs to be broken into. No passwords need to be stolen. The attack rides on the trust your organization already extends to the AI feature.
Invoices and Vendor Documents Are the Attack Vector
Prompt injection has been a documented attack class since large language models - the AI systems powering tools like Sheets AI - became capable enough to take real-world actions. The structural issue is that these models were trained to follow instructions, and they don't reliably distinguish between "instruction from the authorized user" and "instruction embedded in data I was told to read."
Financial tools are a particularly attractive target because the documents they process regularly come from external parties. Invoices, vendor statements, receipts, and contracts all arrive from outside your organization, and any of them could carry embedded instructions - either placed intentionally or because a vendor's own systems were compromised. Similar attacks have been demonstrated against AI features integrated with email platforms and customer support systems.
Reducing Exposure Without a Patch
As of April 29, 2026, Ramp has not publicly disclosed a patch or response timeline. Until they do, the practical options are limited: avoid processing untrusted external documents through Sheets AI, and escalate the issue to whoever manages your organization's Ramp account so they can monitor for unusual data access.
The question every organization should now be asking of AI tools that process external documents: how does this product defend against prompt injection? Vendors who answer with specifics - sandboxing, output filtering, instruction hierarchy enforcement - are taking the problem seriously. Vendors who can't answer it probably haven't looked.