Arbitrary Process Execution Vulnerability in Grist Spreadsheet Software

CVE-2026-24002

What is CVE-2026-24002?

CVE-2026-24002 is a vulnerability affecting Grist, a spreadsheet software that utilizes Python as its formula language. This vulnerability arises from how Grist handles the execution of formulas, particularly when using the pyodide sandbox flavor for running untrusted spreadsheets. The flaw allows malicious documents to execute arbitrary processes on the server hosting Grist if a user sets the GRIST_SANDBOX_FLAVOR to pyodide and opens a deceptive file. Such unauthorized process execution could lead to severe repercussions for organizations, including unauthorized access to sensitive data and potential takeover of server resources.

This vulnerability has been addressed in Grist version 1.7.9 and higher by reconfiguring the pyodide environment to run under deno, which provides a more secure sandboxing mechanism. Until users can update, they are advised to set the sandbox flavor to gvisor as a temporary workaround to mitigate risks when opening untrusted documents.

Potential impact of CVE-2026-24002

1. Arbitrary Code Execution: Attackers can exploit this vulnerability to run unauthorized commands on the Grist server, potentially leading to full system compromise and further infiltration into organizational networks.

2. Data Breaches: Exploitation could result in unauthorized access to sensitive datasets and confidential information stored within Grist, leading to significant data leakage and compliance issues.

3. Operational Disruption: The execution of arbitrary processes on the server could interfere with legitimate operations, potentially resulting in downtime or degradation of service, thereby impacting business continuity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References