The Cellbreak vulnerability (CVE-2026-24002) affects Grist-Core, an open-source, self-hosted relational spreadsheet-database platform that executes Python formulas within spreadsheets using Pyodide, a Python distribution running in WebAssembly within browsers. The vulnerability arises from a flawed sandboxing approach that relies on a blocklist rather than capability-based controls, allowing malicious formulas to escape the Pyodide sandbox. Specifically, the sandbox permits traversal through Python's class hierarchy and leaves the ctypes module accessible, enabling attackers to reach Emscripten runtime functions that should be inaccessible. This sandbox escape allows execution of arbitrary OS commands and host runtime JavaScript, effectively collapsing the boundary between spreadsheet cell logic and host system execution. An attacker opening a malicious spreadsheet can execute commands on the server hosting Grist, potentially accessing sensitive files, database credentials, API keys, and enabling lateral movement within the network. The vulnerability is similar in nature to the previously disclosed N8scape vulnerability (CVE-2025-68668) affecting n8n. Grist-Core maintainers addressed the issue by moving formula execution to the Deno JavaScript runtime by default in version 1.7.9, released January 9, 2026. However, if operators set the environment variable GRIST_PYODIDE_SKIP_DENO to '1', the vulnerable Pyodide sandbox is used again, reintroducing risk. Temporary mitigation involves setting the sandbox flavor to 'gvisor', which is not affected. The vulnerability underscores the risks of relying on blocklist-based sandboxing and highlights the need for capability-based, defense-in-depth sandbox designs to prevent data-plane breaches. No known exploits are currently active in the wild, but the critical severity and ease of exploitation warrant immediate attention.

For European organizations, the Cellbreak vulnerability poses a significant risk due to the potential for remote code execution on servers hosting Grist-Core instances. Organizations using Grist-Core for managing relational spreadsheet-databases, especially those processing untrusted or semi-trusted formulas, face threats including unauthorized access to sensitive corporate data, exposure of database credentials and API keys, and the possibility of attackers moving laterally within internal networks. This could lead to data breaches, operational disruption, and compromise of critical business systems. Given Grist-Core's self-hosted nature, organizations with less mature patch management or security monitoring may be particularly vulnerable. The vulnerability's exploitation does not require user interaction beyond opening a malicious spreadsheet, increasing the risk of automated or targeted attacks. The impact extends to sectors relying on Grist-Core for data management, including finance, healthcare, research, and government agencies across Europe. The ability to execute arbitrary OS commands could also facilitate deployment of ransomware or other malware, amplifying operational and reputational damage.

European organizations should immediately update all Grist-Core instances to version 1.7.9 or later to ensure the default use of the secure Deno JavaScript runtime for formula execution. Administrators must verify the sandbox flavor in use via the Admin Panel; if 'pyodide' is active, urgent patching is required. Avoid setting the environment variable GRIST_PYODIDE_SKIP_DENO to '1' unless absolutely necessary and only in fully trusted environments. As a temporary mitigation, switch the sandbox flavor to 'gvisor' to prevent exploitation while planning updates. Conduct thorough audits of existing spreadsheets for potentially malicious formulas, especially those sourced externally or from untrusted users. Implement strict access controls and monitoring on Grist-Core servers to detect anomalous command execution or file access. Employ network segmentation to limit lateral movement from compromised hosts. Educate users about the risks of opening untrusted spreadsheets and enforce policies restricting formula editing privileges. Finally, integrate Grist-Core patch management into broader organizational vulnerability management and incident response plans to ensure rapid remediation of future issues.