A critical security vulnerability known as Cellbreak has been discovered in Grist-Core, an open-source spreadsheet-database platform that uses Pyodide for formula execution. This flaw, tracked as CVE-2026-24002, allows a malicious user to bypass the sandbox environment and execute unauthorized commands on the host system.
The security flaw identified as CVE-2026-24002 carries a critical CVSS score of 9.1 and was uncovered by researchers at Cyera Research Labs. The vulnerability specifically targets the way Grist-Core handles Python-based formulas within its self-hosted environments. By exploiting this weakness, an attacker could craft a specific formula that breaks out of its intended isolation, effectively turning a standard spreadsheet into a tool for remote code execution.
According to the researchers, this sandbox escape represents a significant breakdown of the boundary between the logic contained within a spreadsheet cell and the underlying operating system. Instead of being restricted to the intended computational limits, a formula author can run host-runtime JavaScript or issue direct OS commands. This type of exploit is similar to recent vulnerabilities found in other platforms, indicating a broader trend of security challenges within WebAssembly-based sandboxing environments.
The root of the issue lies in Pyodide, which is a Python distribution designed to run inside a web browser using a WebAssembly sandbox. While this technology is intended to keep untrusted code contained, the Cellbreak exploit proves that these boundaries are not impenetrable. When Grist-Core uses Pyodide for formula execution without additional layers of protection, it leaves a door open for attackers to manipulate the host environment through seemingly harmless spreadsheet data.
Project maintainers have officially addressed the flaw with the release of Grist-Core version 1.7.9 on January 9, 2026. They have advised users to check their security configurations through the Admin Panel of their respective instances. The risk is specific to those using the pyodide sandboxing method; those who have configured their systems to use gvisor are not susceptible to this particular escape.
Upgrading to the latest version of Grist-Core is essential for all self-hosted users who rely on the vulnerable sandboxing method to prevent potential system takeovers. This incident highlights the ongoing necessity for rigorous security reviews of open-source tools that execute user-provided code. As researchers continue to find ways to bypass virtual containers, maintaining up-to-date software remains the primary defense against sophisticated remote code execution attacks.
Source: Critical Grist Core Vulnerability Enables Remote Code Execution Through Spreadsheets