Skip to content

gRPC API client challenge verification can be bypassed on localhost

Low
requilence published GHSA-vv3h-7qwr-722v Mar 9, 2026

Package

gomod github.com/anyproto/anytype-cli (Go)

Affected versions

<v0.1.11

Patched versions

v0.1.11
gomod github.com/anyproto/anytype-heart (Go)
<v0.48.4
v0.48.4

Description

Impact

The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.

Affected components:

  • Anytype Desktop (all platforms) ≤ v0.48.2
  • Anytype-CLI (headless deployments) ≤ v0.1.9

Not affected:

  • Anytype mobile apps (iOS, Android) - do not expose a local gRPC server

Who is impacted:
This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.

Exploitation requires:

  • Local user-level access to the machine running Anytype
  • Discovery of the randomized listening port
  • A running Anytype instance

Anytype-CLI headless deployments may be at higher risk only if an administrator has chosen to set up their own reverse proxy and configured it in a way that
exposes gRPC or gRPC-Web ports to an external network. By default, these ports are not externally accessible and there is no built-in mechanism to expose them.

Patches

Workarounds

  • Desktop users: No immediate action required. The vulnerability requires existing local access to the machine.
  • Anytype-CLI administrators: If using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2026-31863

Weaknesses

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. Learn more on MITRE.