In a technical analysis by Cyera Research Labs researcher Vladimir Tokarev reported that a critical flaw in the self‑hosted Grist‑Core spreadsheet database, tracked as CVE-2026-24002 and rated CVSS 9.1, can enable remote code execution from a malicious formula. The issue was fixed in Grist Core version 1.7.9 on January 9, 2026.
KEY FACTS
- Incident Pyodide sandbox escape in Grist‑Core allows host command execution
- Identifier CVE-2026-24002, CVSS score 9.1
- Impact Remote code execution, host JavaScript execution, potential secret and file access
- Mitigation Update to Grist 1.7.9 or set sandbox to gvisor
The vulnerability, codenamed Cellbreak, stems from Grist’s use of Pyodide to run Python formulas in a WebAssembly sandbox inside the browser. The blocklist approach used for sandboxing can be bypassed to traverse Python internals and reach ctypes and Emscripten runtime functions that should not be available to formula code.
When an instance is configured with GRIST_SANDBOX_FLAVOR set to pyodide, opening a malicious document can be used to execute arbitrary processes on the server hosting Grist. A successful exploit can expose database credentials and API keys, read sensitive files, and create lateral movement opportunities.
Grist changed default execution to run Pyodide formulas under the Deno JavaScript runtime, fixed in Grist Core version 1.7.9, released January 9, 2026. Operators should avoid setting GRIST_PYODIDE_SKIP_DENO to “1” when untrusted or semi‑trusted formulas may run. As a temporary measure, setting GRIST_SANDBOX_FLAVOR to gvisor prevents the Pyodide path from being used.
WHY IT MATTERS
The flaw shows that a single permissive execution surface can collapse boundaries between data logic and host execution. Organizations running self‑hosted instances should update or apply the sandbox change to reduce the risk of server compromise and data exposure.