Security researchers have disclosed a critical vulnerability in Grist-Core, the open-source spreadsheet and database platform, that could allow remote code execution through malicious spreadsheet formulas.
Vulnerability Details
CVE-2026-24002 (codenamed “Cellbreak”)
- CVSS Score: 9.1 (Critical)
- Type: Remote Code Execution
- Vector: Malicious spreadsheet formulas
How It Works
Grist allows Python formulas in spreadsheet cells for advanced data manipulation. The Cellbreak vulnerability exploits insufficient sandboxing:
- Attacker creates spreadsheet with malicious formula
- Formula escapes Python sandbox
- Arbitrary code executes on server
- Full system compromise possible
Attack Scenarios
Shared Workspaces
- Attacker shares malicious spreadsheet with team
- Any user opening the document triggers exploit
- Lateral movement to other systems possible
Public Templates
- Malicious templates uploaded to sharing platforms
- Users import templates into their instances
- Code execution on victim infrastructure
Document Uploads
- Organizations allowing spreadsheet uploads at risk
- Automated processing triggers vulnerability
- No user interaction required
Affected Deployments
Organizations running self-hosted Grist installations should prioritize patching:
- Internal data platforms
- Customer-facing spreadsheet applications
- Automated data processing pipelines
- Integration with business systems
Remediation
- Update immediately to patched Grist version
- Audit existing spreadsheets for suspicious formulas
- Restrict formula capabilities if possible
- Limit network access from Grist servers
- Monitor for unusual process execution
Formula Security
This vulnerability highlights risks of code execution in document formats:
- Excel macros remain a persistent threat
- Google Sheets Apps Script can be abused
- Jupyter notebooks execute arbitrary code
- Any formula language is potential attack surface
Organizations should evaluate code execution capabilities in all document platforms and implement appropriate controls.