Full Report
A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution. The vulnerability, tracked as CVE-2026-24002 (CVSS score: 9.1), has been codenamed Cellbreak by Cyera Research Labs. "One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead,"
Analysis Summary
# Vulnerability: Cellbreak - RCE in Grist-Core via Malicious Spreadsheet Formula
## CVE Details
- CVE ID: CVE-2026-24002
- CVSS Score: 9.1 (Critical)
- CWE: Not explicitly stated, but relates to Sandbox Escape/Improper Input Validation in formula execution.
## Affected Systems
- Products: Grist-Core (open-source, self-hosted relational spreadsheet-database)
- Versions: Versions prior to 1.7.9.
- Configurations: Affected when the instance uses the **Pyodide** sandboxing method for Python formula execution (indicated by `GRIST_SANDBOX_FLAVOR` being set to `pyodide` and not using the Deno fallback, or when `GRIST_PYODIDE_SKIP_DENO` is set to "1"). Systems using **gvisor** are *not* affected.
## Vulnerability Description
The vulnerability, codenamed "Cellbreak," is a **Pyodide sandbox escape** rooted in Grist's Python formula execution environment. By inserting a specially crafted formula into a spreadsheet, an attacker can exploit flaws in Pyodide's isolation mechanism (which relies on a blocklist approach) to escape sandboxed WebAssembly (WASM) execution. This escape allows an attacker to execute OS commands or run host-runtime JavaScript via access to internal runtime functions (specifically through Python's class hierarchy and `ctypes`). This effectively allows "cell logic" to become host execution.
## Exploitation
- Status: Disclosure reported by researchers; exploitation status (wild/proof-of-concept) is implied to be high risk due to the critical nature. **A Proof-of-Concept (PoC) is implied** through the description of the exploit path.
- Complexity: Assumed **Medium to High** as it requires knowledge of the Pyodide/Emscripten internals to construct the malicious formula.
- Attack Vector: Uploading/sharing a malicious spreadsheet document containing the formula.
## Impact
- Confidentiality: **High** (Potential for unauthorized access to database credentials, API keys, and sensitive files on the host).
- Integrity: **High** (Ability to execute arbitrary code/commands on the server).
- Availability: **High** (Ability to interfere with or crash the hosting server/service).
## Remediation
### Patches
- **Version 1.7.9 (Released January 9, 2026)** or later. Grist maintainers addressed the issue by moving Pyodide formula execution under the Deno JavaScript runtime by default.
### Workarounds
1. **Update immediately** to version 1.7.9+.
2. If updating instantly is not possible, operators can switch the sandbox flavor by setting the environment variable `GRIST_SANDBOX_FLAVOR` to **"gvisor."** This setting ensures the system is not vulnerable.
3. **Avoid** setting `GRIST_PYODIDE_SKIP_DENO` to "1."
## Detection
- **Configuration Check:** Check the Admin Panel of the Grist instance under the sandboxing section. If 'pyodide' is listed, the instance is potentially vulnerable if running pre-patch versions.
- **Indicator of Compromise (IOC):** Look for unusual outbound network connections or unexpected process execution originating from the Grist application process paths, especially if formulas are executed.
- **Detection Methods:** Monitoring system calls originating from the formula execution sandbox for attempts to access restricted filesystems or spawn non-standard processes.
## References
- Vendor Advisory (Grist GitHub Releases): `github.com/gristlabs/grist-core/releases/tag/v1.7.9`
- CVE Tracking/Source: `github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g`
- Researcher Report (Cyera): `cyera.com/research-labs/cellbreak-grists-pyodide-sandbox-escape-and-the-data-at-risk-blast-radius`