GHSA-vv3h-7qwr-722v (CVE-2026-31863)

Details

Impact

The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.

Affected components:

Anytype Desktop (all platforms) ≤ v0.48.2
Anytype-CLI (headless deployments) ≤ v0.1.9

Not affected:

Anytype mobile apps (iOS, Android) - do not expose a local gRPC server

Who is impacted: This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.

Exploitation requires:

Local user-level access to the machine running Anytype
Discovery of the randomized listening port
A running Anytype instance

Anytype-CLI headless deployments may be at higher risk only if an administrator has chosen to set up their own reverse proxy and configured it in a way that exposes gRPC or gRPC-Web ports to an external network. By default, these ports are not externally accessible and there is no built-in mechanism to expose them.

Patches

anytype-heart library: v0.48.4
Anytype Desktop: v0.54.5
Anytype-CLI: v0.1.11

Workarounds

Desktop users: No immediate action required. The vulnerability requires existing local access to the machine.
Anytype-CLI administrators: If using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.

Affected Packages

github.com/anyproto/anytype-cli

Go

Fixed in:

0.1.11

github.com/anyproto/anytype-heart

Go

Fixed in:

0.48.4

References

ADVISORY

https://github.com/advisories/GHSA-vv3h-7qwr-722v