A severe security flaw has been discovered in Grist-Core, the open-source, self-hosted version of the Grist relational spreadsheet-database. This vulnerability, tracked as CVE-2026-24002 and codenamed Cellbreak, could allow attackers to execute remote code via malicious spreadsheet formulas, leading to a significant risk for systems running the software.
What Is the Grist-Core Vulnerability?
The flaw stems from a security feature bypass in the way Grist-Core processes spreadsheet formulas. Specifically, the vulnerability lies in the Pyodide sandboxing method used for executing Python code in the web browser. A malicious actor can exploit this flaw by sending a user a malicious spreadsheet, which, when opened, allows the attacker to execute arbitrary commands on the host system.
Although the issue relies on user interaction (the user must open the malicious spreadsheet), it exposes a serious weakness in how cloud applications handle untrusted inputs. This security hole allows attackers to bypass OLE mitigations in Microsoft 365 and Microsoft Office, giving them the ability to run OS commands or host-runtime JavaScript.
Why Is This Vulnerability Critical?
The critical nature of this vulnerability is due to its potential to allow attackers to gain control over systems running Grist-Core. Once exploited, the attacker can gain access to sensitive files, steal database credentials, and even execute JavaScript within the host environment. This gives malicious actors the ability to perform data manipulation, exposure, and lateral movement within networks.
Grist-Core’s reliance on Pyodide for executing Python code inside a sandbox environment left this vector vulnerable. The sandbox was designed to prevent unauthorized access to the host system, but flaws in its design allowed attackers to traverse the Python class hierarchy and access Emscripten runtime functions.
Mitigation Steps and Updates
In response to the vulnerability, Grist has implemented a fix by moving the Pyodide formula execution under the Deno JavaScript runtime. However, the risk remains if the GRIST_PYODIDE_SKIP_DENO setting is explicitly enabled, which should be avoided in environments where untrusted formulas are common.
Users are encouraged to update to Grist version 1.7.9 or later as soon as possible. For those unable to update immediately, a temporary mitigation involves setting the GRIST_SANDBOX_FLAVOR environment variable to “gvisor.”
A Wake-up Call for Cloud Security
The Grist-Core vulnerability underscores the dangers of relying on fragile sandboxing methods in cloud applications. It highlights the need for robust, defense-in-depth security strategies to prevent attackers from gaining access to critical systems and data. As this issue is addressed, organizations are reminded of the importance of regular security updates and staying vigilant against emerging threats in the cloud security landscape.
By leveraging secure sandboxing techniques and continuously improving security measures, organizations can reduce the risk posed by vulnerabilities like CVE-2026-24002 and protect their systems from remote code execution attacks.
