A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution.
The vulnerability, tracked as CVE-2026-24002 (CVSS score: 9.1), has been codenamed Cellbreak by Cyera Research Labs.
“One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead,” security researcher Vladimir Tokarev, who discovered the flaw, said. “This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between ‘cell logic’ and host execution.”
Cellbreak is categorized as a case of Pyodide sandbox escape, the same kind of vulnerability that also recently impacted n8n (CVE-2025-68668, CVSS score: 9.9, aka N8scape). The vulnerability has been addressed in version 1.7.9, released on January 9, 2026.
“A security review identified a vulnerability in the ‘pyodide’ sandboxing method that is available in Grist,” the project maintainers said. “You can check if you are affected in the sandboxing section of the Admin Panel of your instance. If you see ‘gvisor’ there, then you are not affected. If you see ‘pyodide,’ then it is important to update to this version of Grist or later.”
In a nutshell, the problem is rooted in Grist’s Python formula execution, which allows untrusted formulas to be run inside Pyodide, a Python distribution that enables regular Python code to be executed directly in a web browser within the confines of a WebAssembly (WASM) sandbox.
While the idea behind this thought process is to ensure that Python formula code is run in an isolated environment, the fact that Grist uses a blocklist-style approach makes it possible to escape the sandbox and ultimately achieve command execution on the underlying host.
“The sandbox’s design allows traversal through Python’s class hierarchy and leaves ctypes available, which together open access to Emscripten runtime functions that should never be reachable from a formula cell,” Tokarev explained. “That combination enables host command execution and JavaScript execution in the host runtime, with practical outcomes like filesystem access and secret exposure.”
According to Grist, when a user has set GRIST_SANDBOX_FLAVOR to Pyodide and opens a malicious document, that document could be used to run arbitrary processes on the server hosting Grist. Armed with this capability to execute commands or JavaScript via a formula, an attacker can leverage this behavior to access database credentials and API keys, read sensitive files, and present lateral movement opportunities.
Grist has addressed the problem by moving Pyodide formula execution under the Deno JavaScript runtime by default. However, it’s worth noting that the risk rears its head once again if an operator explicitly chooses to set GRIST_PYODIDE_SKIP_DENO to the value “1.” The setting should be avoided…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
