Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas
Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas
https://thehackernews.com/2026/01/critical-grist-core-vulnerability.html
Publish Date: 2026-01-27 05:36:00
Source Domain: thehackernews.com
A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution.
The vulnerability, tracked as CVE-2026-24002 (CVSS score: 9.1), has been codenamed Cellbreak by Cyera Research Labs.
“One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead,” security researcher Vladimir Tokarev, who discovered the flaw, said. “This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between ‘cell logic’ and host execution.”
Cellbreak is categorized as a case of Pyodide sandbox escape, the same kind of vulnerability that also recently impacted n8n (CVE-2025-68668, CVSS score: 9.9, aka N8scape). The vulnerability has been addressed in version 1.7.9, released on January 9, 2026.
“A security review identified a vulnerability in the ‘pyodide’ sandboxing method that is available in Grist,” the project maintainers said. “You can check if you are affected in the sandboxing section of the Admin Panel of your instance. If you see ‘gvisor’ there, then you are not affected. If you see ‘pyodide,’ then it is important to update to this version of Grist or later.”
In a nutshell, the problem is rooted in Grist’s Python formula execution, which allows untrusted formulas to be run inside Pyodide, a Python distribution that enables regular Python code to be executed directly in a web browser within the confines of a WebAssembly (WASM) sandbox.
While the idea behind this thought process is to ensure that Python formula code is run in an isolated environment, the fact that Grist uses a blocklist-style approach makes it possible to escape the sandbox and ultimately achieve command execution on the underlying host.
“The sandbox’s design allows traversal through Python’s class hierarchy and leaves ctypes available, which…
