CVE-2026-24002 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2026-24002?

CVE-2026-24002 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows arbitrary code execution on Grist servers when using the pyodide sandbox flavor with untrusted spreadsheets. Attackers can run arbitrary processes on the server hosting Grist. Affects Grist deployments where GRIST_SANDBOX_FLAVOR is set to 'pyodide' and users open malicious documents.

📋 TL;DR

This vulnerability allows arbitrary code execution on Grist servers when using the pyodide sandbox flavor with untrusted spreadsheets. Attackers can run arbitrary processes on the server hosting Grist. Affects Grist deployments where GRIST_SANDBOX_FLAVOR is set to 'pyodide' and users open malicious documents.

💻 Affected Systems

Products:

Grist

Versions: Versions before 1.7.9

Operating Systems: All platforms running Grist

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when GRIST_SANDBOX_FLAVOR environment variable is explicitly set to 'pyodide'.

📦 What is this software?

Grist Core by Getgrist

View all CVEs affecting Grist Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, access sensitive data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Server compromise leading to data theft, installation of malware, or use of server resources for malicious activities like cryptocurrency mining.

🟢

If Mitigated

No impact if using gvisor sandbox or patched version, as proper sandboxing prevents code execution.

🌐 Internet-Facing: HIGH - Internet-facing Grist instances with pyodide sandbox are directly exploitable by uploading malicious spreadsheets.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised accounts uploading malicious spreadsheets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening malicious spreadsheet) but the attack vector is straightforward once the sandbox is misconfigured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.9 and later

Vendor Advisory: https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g

Restart Required: Yes

Instructions:

1. Update Grist to version 1.7.9 or later. 2. Restart the Grist service. 3. Verify GRIST_SANDBOX_FLAVOR is not set to 'pyodide'.

🔧 Temporary Workarounds

Switch to gvisor sandbox

all

Change sandbox flavor from pyodide to gvisor which provides proper isolation

export GRIST_SANDBOX_FLAVOR=gvisor

🧯 If You Can't Patch

Set GRIST_SANDBOX_FLAVOR environment variable to 'gvisor' instead of 'pyodide'
Restrict spreadsheet uploads to trusted sources only and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if GRIST_SANDBOX_FLAVOR environment variable is set to 'pyodide' and Grist version is below 1.7.9

Check Version:

Check Grist web interface or server logs for version information

Verify Fix Applied:

Verify Grist version is 1.7.9+ and GRIST_SANDBOX_FLAVOR is not set to 'pyodide'

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Grist service
Errors related to pyodide sandbox failures
Multiple spreadsheet uploads from single user

Network Indicators:

Outbound connections from Grist server to unexpected destinations
Unusual network traffic patterns from Grist host

SIEM Query:

source="grist.logs" AND ("pyodide" OR "sandbox failure" OR "process execution")

📊 Metadata

CVE ID: CVE-2026-24002

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 0.06% exploit probability (19.4th percentile)

Published: January 22, 2026

Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24002, you might also want to check these: