Anytype Heart's gRPC API client challenge verification can be bypassed on localhost
GHSA-vv3h-7qwr-722v · CVE-2026-31863 · GO-2026-4680
Published · Modified
Description
Impact
The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.
Affected components:
- Anytype Desktop (all platforms) ≤ v0.48.2
- Anytype-CLI (headless deployments) ≤ v0.1.9
Not affected:
- Anytype mobile apps (iOS, Android) - do not expose a local gRPC server
Who is impacted:
This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.
Exploitation requires:
- Local user-level access to the machine running Anytype
- Discovery of the randomized listening port
- A running Anytype instance
Anytype-CLI headless deployments may be at higher risk only if an administrator has chosen to set up their own reverse proxy and configured it in a way that
exposes gRPC or gRPC-Web ports to an external network. By default, these ports are not externally accessible and there is no built-in mechanism to expose them.
Patches
- anytype-heart library: v0.48.4
- Anytype Desktop: v0.54.5
- Anytype-CLI: v0.1.11
Workarounds
- Desktop users: No immediate action required. The vulnerability requires existing local access to the machine.
- Anytype-CLI administrators: If using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.
References
- WEB https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31863
- WEB https://github.com/anyproto/anytype-cli
- PACKAGE https://github.com/anyproto/anytype-heart
- WEB https://github.com/anyproto/anytype-ts
- WEB https://pkg.go.dev/vuln/GO-2026-4680
Ready to move
Start Securing
Free, no credit card | First findings in minutes