CVE-2026-31863

Name of the Vulnerable Software and Affected Versions Anytype Heart versions prior to 0.48.4 Anytype-CLI versions prior to 0.1.11 Anytype Desktop versions prior to 0.54.5

Description The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This issue is scoped to localhost, with the gRPC and gRPC-Web ports binding to 127.0.0.1 only and not exposed to the local network or internet. Exploitation requires local user-level access to the machine running Anytype, discovery of the randomized listening port, and a running Anytype instance. Anytype-CLI headless deployments may be at higher risk if an administrator has configured a reverse proxy to expose gRPC or gRPC-Web ports to an external network.

Recommendations Versions prior to 0.48.4 of Anytype Heart should be updated to version 0.48.4 or later. Versions prior to 0.1.11 of Anytype-CLI should be updated to version 0.1.11 or later. Versions prior to 0.54.5 of Anytype Desktop should be updated to version 0.54.5 or later. For Anytype-CLI administrators using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.