CVE-2026-31863: Anytype Heart's gRPC API client challenge verification can be bypassed on localhost

March 11, 2026 (updated March 24, 2026)

The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.

Affected components:

Anytype Desktop (all platforms) ≤ v0.48.2
Anytype-CLI (headless deployments) ≤ v0.1.9

Not affected:

Anytype mobile apps (iOS, Android) - do not expose a local gRPC server

Who is impacted: This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.

References

github.com/advisories/GHSA-vv3h-7qwr-722v
github.com/anyproto/anytype-cli
github.com/anyproto/anytype-heart
github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v
github.com/anyproto/anytype-ts
nvd.nist.gov/vuln/detail/CVE-2026-31863
pkg.go.dev/vuln/GO-2026-4680

Code Behaviors & Features

Detect and mitigate CVE-2026-31863 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →