DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31863: CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API

#security #cve #cybersecurity

CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API

Vulnerability ID: CVE-2026-31863
CVSS Score: 3.6
Published: 2026-03-11

The Anytype Heart middleware library fails to restrict excessive authentication attempts on its local gRPC client API. This vulnerability allows a local, unprivileged attacker to bypass challenge-based authentication by brute-forcing a 4-digit authorization code, resulting in unauthorized access to the Anytype application backend and the user's local data.

TL;DR

Anytype Heart lacks rate limiting on its 4-digit PIN authentication challenge, allowing a local attacker to brute-force the code and gain unauthorized access to the gRPC API.

Technical Details

  • CWE ID: CWE-307
  • Attack Vector: Local (AV:L)
  • CVSS Base Score: 3.6 (Low)
  • Impact: Confidentiality & Integrity Bypass
  • Exploit Status: Unexploited publicly
  • Authentication Factor: 4-Digit PIN Challenge
  • CISA KEV: Not Listed

Affected Systems

  • Anytype Heart gRPC local API
  • Anytype CLI local management interface
  • Anytype Desktop local daemon
  • anytype-heart: < 0.48.4 (Fixed in: 0.48.4)
  • anytype-cli: < 0.1.11 (Fixed in: 0.1.11)
  • anytype-ts: < 0.54.5 (Fixed in: 0.54.5)

Mitigation Strategies

  • Update Anytype Heart middleware to version 0.48.4 or later.
  • Update Anytype CLI tools to version 0.1.11 or later.
  • Update the Anytype Desktop client to version 0.54.5 or later.
  • Enforce strict OS-level process isolation to prevent unauthorized local processes from interacting with loopback interfaces.
  • Implement endpoint monitoring to detect anomalous bursts of local network traffic targeting gRPC ports.

Remediation Steps:

  1. Identify all deployed instances of Anytype Desktop, CLI, and standalone Heart middleware.
  2. Download the patched binaries for version 0.54.5 (Desktop), 0.1.11 (CLI), and 0.48.4 (Heart).
  3. Terminate all running Anytype processes on the target machine.
  4. Apply the updates using the system's package manager or manual binary replacement.
  5. Restart the Anytype application and verify that normal local authentication functionality is intact.

References

Read the full report for CVE-2026-31863 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)