What is the Cellbreak vulnerability?

Cellbreak is a critical sandbox escape vulnerability in Grist-Core that allows attackers to execute remote code on the host server using malicious spreadsheet formulas.

What is the impact of CVE-2026-24002?

This vulnerability, with a CVSS score of 9.1, allows for remote code execution, unauthorized access to database credentials, API keys, and sensitive configuration files.

How do I know if my Grist instance is vulnerable?

Check the sandboxing section of your Admin Panel. If you see 'pyodide' listed as the sandbox flavor, your instance is vulnerable.

What is the recommended fix for Cellbreak?

Users should update to Grist-Core version 1.7.9 or later, which moves formula execution under the more secure Deno runtime by default.

Are there any temporary mitigations available?

Yes, administrators can temporarily mitigate the risk by setting the GRIST_SANDBOX_FLAVOR environment variable to 'gvisor'.

Advisory

Critical Cellbreak Vulnerability in Grist-Core Enables Remote Code Execution

published: Jan. 27, 2026

Take action: If you're running Grist-Core, immediately update to version 1.7.9 to fix this flaw. There's a PoC available, so exploits will start VERY SOON. If you can't update right away, change your GRIST_SANDBOX_FLAVOR setting to "gvisor" as an interim protection measure.

Learn More

Grist-Core, an open-source spreadsheet-database platform, addressed a critical security flaw dubbed "Cellbreak." This vulnerability allows attackers to use malicious formulas to break out of the software's isolated environment. Once the sandbox is breached, an attacker can run commands directly on the host server, effectively taking control of the system.

The flaw is tracked as CVE-2026-24002 (CVSS score 9.1) - A critical sandbox escape in Pyodide that leads to remote code execution.exists in the Pyodide sandbox, which Grist uses to run Python formulas. Researchers found that the sandbox relied on a weak "blocklist" approach to security. Attackers can bypass these restrictions by navigating Python's internal class structure or using the ctypes library to access the underlying Emscripten runtime.

The simplest exploit used ctypes to call system() directly: import ctypes; ctypes.CDLL(None).system(b'whoami') - a single line in a formula cell that executes arbitrary OS commands.

The most powerful method uses emscripten_run_script_string() to run JavaScript in the host Node.js runtime: import ctypes; e = ctypes.CDLL(None).emscripten_run_script_string; e.restype = ctypes.c_char_p; e(b"require('child_process').execSync('env')") - which could exfiltrate environment variables containing database credentials and API keys.

Both exploits could be embedded in a malicious Grist document and would execute automatically when opened, turning a spreadsheet formula into full remote code execution.

Researchers published a PoC video of the exploit.

A successful exploit could allow an attacker to move laterally through a corporate network or steal secrets stored in environment variables.

Grist released version 1.7.9 to fix the issue by moving formula execution into the Deno runtime. Deno provides a more secure, permission-based model that blocks unauthorized system access. Administrators should update immediately or change the GRIST_SANDBOX_FLAVOR setting to "gvisor" to protect their instances.

Critical Cellbreak Vulnerability in Grist-Core Enables Remote Code Execution

Read More
Critical Cisco IMC Authentication Bypass Allows Remote Administrative …
Atlassian patches PostgreSQL JDBC driver SQL injection in …
Veeam reports critical flaws in Veeam ONE monitoring …
Critical N-able N-central vulnerabilities actively exploited
Active attacks on a zero day flaw in …