Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Disable Formula in Report Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Disable Formula in Report Control

            Org-wide setting that strips Excel formulas from report exports, preventing malicious formula injection attacks when users download sensitive data as spreadsheets.

            Control Name

            Report Management - Disable formula in report.

            Control Overview

            Org-wide setting that strips Excel formulas from report exports, preventing malicious formula injection attacks when users download sensitive data as spreadsheets.

            Description

            When enabled, Salesforce exports reports as static values only (no =FORMULATEXT(), no VBA macros), blocking attackers from embedding executable code in custom formula fields that execute upon opening in Excel/LibreOffice.

            Recommended Configuration

            Enable the "Disable Formula in Report to avoid formula injection in the report output" - Setup in Report/Dashboard Setting.

            Security Impact

            Eliminates primary vector for formula-based malware distribution through legitimate business reports. Forces safe static exports protecting downstream recipients from automatic code execution.

            Business Impact

            Maintains report export functionality while eliminating Excel macro security risks. No user workflow changes required. Supports compliance requirements for secure data sharing.

            Security Risk If Not Configured

            User reports contain a potential formula injection vulnerability when exported to Excel, enabling malware delivery through trusted business documents.

            Threat Scenarios

            Increased risk of formula injection attacks and information disclosure attacks; compromised users with report export permissions embed malicious formulas (=CMD('net user hacker password!/add'), =HYPERLINK("javascript:malware()")) in formula fields that execute when executives and finance teams open exported CSVs in Excel.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Every report export becomes a potential malware vector; impact scales with user count and report distribution frequency; legitimate complex formulas must be reimplemented as static summary fields.

            Higher Risk When

            External users export reports, custom formula fields contain dynamic calculations, reports distributed via email/Experience Cloud, or Excel-heavy finance/sales teams.

            Low Risk When

            Reports only viewed in Salesforce UI, no custom formula fields, internal users only, PDF export preference established.

            Business and Integration Considerations

            Communicate change to report-heavy users; audit existing formula fields before enabling; test critical reports in sandbox exports.

            Security Health Review Guidance

            Must have.

            Who Is Impacted

            Report builders using formula fields, end users exporting to Excel, security teams monitoring export patterns, compliance officers verifying secure data sharing controls.

            See Also

             
            Loading
            Salesforce Help | Article