Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2026-31863.md

Created March 11, 2026 18:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/2f5ac9f201724311bd0bb59616acb73c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/2f5ac9f201724311bd0bb59616acb73c to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-31863: CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API - CVE Security Report
Raw
CVE-2026-31863.md

CVE-2026-31863: CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API

CVSS Score: 3.6 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31863

Summary

The Anytype Heart middleware library fails to restrict excessive authentication attempts on its local gRPC client API. This vulnerability allows a local, unprivileged attacker to bypass challenge-based authentication by brute-forcing a 4-digit authorization code, resulting in unauthorized access to the Anytype application backend and the user's local data.

TL;DR

Anytype Heart lacks rate limiting on its 4-digit PIN authentication challenge, allowing a local attacker to brute-force the code and gain unauthorized access to the gRPC API.

Technical Details

  • CWE ID: CWE-307
  • Attack Vector: Local (AV:L)
  • CVSS Base Score: 3.6 (Low)
  • Impact: Confidentiality & Integrity Bypass
  • Exploit Status: Unexploited publicly
  • Authentication Factor: 4-Digit PIN Challenge
  • CISA KEV: Not Listed

Affected Systems

  • Anytype Heart gRPC local API
  • Anytype CLI local management interface
  • Anytype Desktop local daemon
  • anytype-heart: < 0.48.4 (Fixed in: 0.48.4)
  • anytype-cli: < 0.1.11 (Fixed in: 0.1.11)
  • anytype-ts: < 0.54.5 (Fixed in: 0.54.5)

Mitigation

  • Update Anytype Heart middleware to version 0.48.4 or later.
  • Update Anytype CLI tools to version 0.1.11 or later.
  • Update the Anytype Desktop client to version 0.54.5 or later.
  • Enforce strict OS-level process isolation to prevent unauthorized local processes from interacting with loopback interfaces.
  • Implement endpoint monitoring to detect anomalous bursts of local network traffic targeting gRPC ports.

Remediation Steps:

  1. Identify all deployed instances of Anytype Desktop, CLI, and standalone Heart middleware.
  2. Download the patched binaries for version 0.54.5 (Desktop), 0.1.11 (CLI), and 0.48.4 (Heart).
  3. Terminate all running Anytype processes on the target machine.
  4. Apply the updates using the system's package manager or manual binary replacement.
  5. Restart the Anytype application and verify that normal local authentication functionality is intact.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment