{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31863", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.013Z", "datePublished": "2026-03-11T17:43:08.106Z", "dateUpdated": "2026-03-12T13:52:12.763Z"}, "containers": {"cna": {"title": "Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v"}], "affected": [{"vendor": "anyproto", "product": "anytype-heart", "versions": [{"version": "< 0.48.4", "status": "affected"}]}, {"vendor": "anyproto", "product": "anytype-cli", "versions": [{"version": "< 0.1.11", "status": "affected"}]}, {"vendor": "anyproto", "product": "anytype-ts", "versions": [{"version": "< 0.54.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:43:08.106Z"}, "descriptions": [{"lang": "en", "value": "Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5."}], "source": {"advisory": "GHSA-vv3h-7qwr-722v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:52:02.447723Z", "id": "CVE-2026-31863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:52:12.763Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:52:02.447723Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:52:06.399Z"}}], "cna": {"title": "Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart", "source": {"advisory": "GHSA-vv3h-7qwr-722v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "anyproto", "product": "anytype-heart", "versions": [{"status": "affected", "version": "< 0.48.4"}]}, {"vendor": "anyproto", "product": "anytype-cli", "versions": [{"status": "affected", "version": "< 0.1.11"}]}, {"vendor": "anyproto", "product": "anytype-ts", "versions": [{"status": "affected", "version": "< 0.54.5"}]}], "references": [{"url": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v", "name": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:43:08.106Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31863", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:52:12.763Z", "dateReserved": "2026-03-09T19:02:25.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:43:08.106Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anytype:anytype_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "48E258B4-F304-4C04-8447-062E18AD427E", "versionEndExcluding": "0.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:anytype:anytype_desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "06C0A410-2ED2-4A69-9FE4-5153F7D29887", "versionEndExcluding": "0.54.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:anytype:anytype_heart:*:*:*:*:*:*:*:*", "matchCriteriaId": "061F6964-1440-48DC-B1A9-02F59BFC24C1", "versionEndExcluding": "0.48.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5."}, {"lang": "es", "value": "Anytype Heart es la biblioteca de middleware para Anytype. La autenticaci\u00f3n basada en desaf\u00edos para la API de cliente gRPC local puede ser eludida, permitiendo a un atacante obtener acceso sin el c\u00f3digo de 4 d\u00edgitos. Esta vulnerabilidad est\u00e1 corregida en anytype-heart 0.48.4, anytype-cli 0.1.11 y Anytype Desktop 0.54.5."}], "id": "CVE-2026-31863", "lastModified": "2026-03-20T16:29:45.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T18:16:25.270", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "anytype-cli", "source": "cna", "vendor": "anyproto"}, "product": "anytype-cli", "vendor": "anyproto"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.48.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "anytype-heart", "source": "cna", "vendor": "anyproto"}, "product": "anytype-heart", "vendor": "anyproto"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.54.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "anytype-ts", "source": "cna", "vendor": "anyproto"}, "product": "anytype-ts", "vendor": "anyproto"}], "analysis": {"en": {"generated_at": "2026-04-16T09:20:56.918153+00:00", "value": {"mitigation_remediation": ["Upgrade anyproto:anytype-heart to 0.48.4.", "Upgrade anyproto:anytype-cli to 0.1.11.", "Upgrade Anytype Desktop to 0.54.5."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected products are anyproto:anytype-cli, anyproto:anytype-heart, and anyproto:anytype-ts. Installations of these components that are older than the fixed releases\u2014anytype\u2011heart\u00a00.48.4, anytype\u2011cli\u00a00.1.11, and Anytype Desktop\u00a00.54.5\u2014remain vulnerable. The vulnerability applies to local deployments where the API is accessible.", "description_and_impact": "Anytype Heart, the middleware underlying Anytype, permits a challenge\u2011based authentication for its local gRPC client API to be bypassed. This flaw allows an attacker to gain API access without providing the required 4\u2011digit code. The weakness, an example of insecure authentication (CWE\u2011307), can enable unauthorized local users to query or modify data through the API.", "risk_and_exploitability": "The CVSS score is 3.6, indicating low severity. The EPSS score is less than 1\u202f%, representing a very low but non\u2011zero exploitation probability. The issue is not cataloged in the CISA KEV list. Because the attack vector involves local exploitation of the gRPC client API, an attacker with local system access can bypass the authentication challenge. No public exploit is documented; the low severity and exploitation probability suggest limited risk, but any local adversary could gain unauthorized API access."}}}}, "created": "2026-03-12T09:57:33.854686+00:00", "updated": "2026-04-16T09:30:06.041476+00:00", "vendors": ["anyproto", "anyproto$PRODUCT$anytype-cli", "anyproto$PRODUCT$anytype-heart", "anyproto$PRODUCT$anytype-ts"]}