CVE-2026-31863

Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5.

CVSS v3 3.6 LOW

3.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.0 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:anytype:anytype_cli::::::::
	cpe:2.3:a:anytype:anytype_desktop::::::::
	cpe:2.3:a:anytype:anytype_heart::::::::

History

20 Mar 2026, 16:29

Type	Values Removed	Values Added
Summary		(es) Anytype Heart es la biblioteca de middleware para Anytype. La autenticación basada en desafíos para la API de cliente gRPC local puede ser eludida, permitiendo a un atacante obtener acceso sin el código de 4 dígitos. Esta vulnerabilidad está corregida en anytype-heart 0.48.4, anytype-cli 0.1.11 y Anytype Desktop 0.54.5.
First Time		Anytype anytype Desktop Anytype Anytype anytype Heart Anytype anytype Cli
References	~~() https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v -~~	() https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v - Patch, Vendor Advisory
CPE		cpe:2.3:a:anytype:anytype_cli:::::::: cpe:2.3:a:anytype:anytype_heart:::::::: cpe:2.3:a:anytype:anytype_desktop::::::::

11 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 18:16

Updated : 2026-03-20 16:29

NVD link : CVE-2026-31863

Mitre link : CVE-2026-31863

CVE.ORG link : CVE-2026-31863

JSON object : View

Products Affected

anytype

anytype_desktop
anytype_cli
anytype_heart

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2026-31863", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}]}, "published": "2026-03-11T18:16:25.270", "references": [{"url": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5."}, {"lang": "es", "value": "Anytype Heart es la biblioteca de middleware para Anytype. La autenticaci\u00f3n basada en desaf\u00edos para la API de cliente gRPC local puede ser eludida, permitiendo a un atacante obtener acceso sin el c\u00f3digo de 4 d\u00edgitos. Esta vulnerabilidad est\u00e1 corregida en anytype-heart 0.48.4, anytype-cli 0.1.11 y Anytype Desktop 0.54.5."}], "lastModified": "2026-03-20T16:29:45.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anytype:anytype_cli:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48E258B4-F304-4C04-8447-062E18AD427E", "versionEndExcluding": "0.1.11"}, {"criteria": "cpe:2.3:a:anytype:anytype_desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06C0A410-2ED2-4A69-9FE4-5153F7D29887", "versionEndExcluding": "0.54.5"}, {"criteria": "cpe:2.3:a:anytype:anytype_heart:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "061F6964-1440-48DC-B1A9-02F59BFC24C1", "versionEndExcluding": "0.48.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}