CVE-2026-31863
Authentication Bypass in Anytype Heart gRPC Client API
Publication date: 2026-03-11
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anytype | anytype_cli | to 0.1.11 (exc) |
| anytype | anytype_heart | to 0.48.4 (exc) |
| anytype | anytype_desktop | to 0.54.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31863 is a vulnerability in the Anytype software's local gRPC client API authentication mechanism. Specifically, the challenge-based verification that requires a 4-digit code can be bypassed by an attacker who has local user-level access to the machine running Anytype. This means the attacker can gain unauthorized access without entering the required authentication code."}, {'type': 'paragraph', 'content': 'The vulnerability affects Anytype Desktop (all platforms) versions up to v0.48.2, Anytype-CLI versions up to v0.1.9, and the anytype-heart middleware library. It does not affect Anytype mobile applications because they do not expose a local gRPC server.'}, {'type': 'paragraph', 'content': 'The issue arises because the software does not properly restrict excessive authentication attempts, allowing bypass of the authentication challenge on localhost. Exploitation requires local access, discovery of the randomized listening port, and a running instance of Anytype.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with local user-level access to bypass the 4-digit authentication code and gain unauthorized access to the Anytype application running on the machine.
Because the gRPC ports are bound only to localhost by default, the risk is limited to attackers who already have local access. However, if Anytype-CLI is configured with a custom reverse proxy exposing these ports externally, the risk increases.
The impact is considered low severity with limited confidentiality and integrity impact, and no availability impact. Still, unauthorized access could lead to exposure or modification of data accessible through the Anytype application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the local gRPC client API of Anytype software and requires local user-level access to the machine running Anytype. Detection involves verifying if an affected version of Anytype Desktop (up to v0.48.2) or Anytype-CLI (up to v0.1.9) is running.
Since the gRPC and gRPC-Web ports bind only to localhost (127.0.0.1) and are not exposed externally by default, you can check for Anytype processes and their listening ports on localhost.
- Use commands like `netstat -tulnp | grep 127.0.0.1` or `ss -tulnp | grep 127.0.0.1` to identify listening ports bound to localhost.
- Check running Anytype processes with commands such as `ps aux | grep anytype` to confirm the version and presence of the vulnerable software.
If a custom reverse proxy is configured for Anytype-CLI, verify that gRPC or gRPC-Web ports are not exposed externally by inspecting proxy configurations and firewall rules.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Anytype components to the patched versions that fix this vulnerability:
- Update anytype-heart library to version 0.48.4 or later.
- Update Anytype Desktop to version 0.54.5 or later.
- Update Anytype-CLI to version 0.1.11 or later.
Additional immediate steps include:
- For Desktop users, no immediate action is required beyond updating, since exploitation requires local access.
- For Anytype-CLI administrators, ensure that any custom reverse proxies do not expose gRPC or gRPC-Web ports externally to prevent remote exploitation.