Description
Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5.
Published: 2026-03-11
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

Anytype Heart, the middleware underlying Anytype, permits a challenge‑based authentication for its local gRPC client API to be bypassed. This flaw allows an attacker to gain API access without providing the required 4‑digit code. The weakness, an example of insecure authentication (CWE‑307), can enable unauthorized local users to query or modify data through the API.

Affected Systems

The affected products are anyproto:anytype-cli, anyproto:anytype-heart, and anyproto:anytype-ts. Installations of these components that are older than the fixed releases—anytype‑heart 0.48.4, anytype‑cli 0.1.11, and Anytype Desktop 0.54.5—remain vulnerable. The vulnerability applies to local deployments where the API is accessible.

Risk and Exploitability

The CVSS score is 3.6, indicating low severity. The EPSS score is less than 1 %, representing a very low but non‑zero exploitation probability. The issue is not cataloged in the CISA KEV list. Because the attack vector involves local exploitation of the gRPC client API, an attacker with local system access can bypass the authentication challenge. No public exploit is documented; the low severity and exploitation probability suggest limited risk, but any local adversary could gain unauthorized API access.

Generated by OpenCVE AI on April 16, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade anyproto:anytype-heart to 0.48.4.
  • Upgrade anyproto:anytype-cli to 0.1.11.
  • Upgrade Anytype Desktop to 0.54.5.

Generated by OpenCVE AI on April 16, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vv3h-7qwr-722v Anytype Heart's gRPC API client challenge verification can be bypassed on localhost
History

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Anytype
Anytype anytype Cli
Anytype anytype Desktop
Anytype anytype Heart
CPEs cpe:2.3:a:anytype:anytype_cli:*:*:*:*:*:*:*:*
cpe:2.3:a:anytype:anytype_desktop:*:*:*:*:*:*:*:*
cpe:2.3:a:anytype:anytype_heart:*:*:*:*:*:*:*:*
Vendors & Products Anytype
Anytype anytype Cli
Anytype anytype Desktop
Anytype anytype Heart

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Anyproto
Anyproto anytype-cli
Anyproto anytype-heart
Anyproto anytype-ts
Vendors & Products Anyproto
Anyproto anytype-cli
Anyproto anytype-heart
Anyproto anytype-ts

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5.
Title Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Anyproto Anytype-cli Anytype-heart Anytype-ts
Anytype Anytype Cli Anytype Desktop Anytype Heart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T13:52:12.763Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31863

cve-icon Vulnrichment

Updated: 2026-03-12T13:52:06.399Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:25.270

Modified: 2026-03-20T16:29:45.237

Link: CVE-2026-31863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses