Anytype Heart Challenge-Based Authentication Bypass Vulnerability in gRPC Client API
Vulnerability
A vulnerability exists in the Anytype Heart middleware library, allowing for a bypass of the challenge-based authentication in the local gRPC client API. This flaw enables an attacker to gain access without the required 4-digit code. The issue is present in Anytype Heart versions prior to 0.48.4, Anytype CLI versions prior to 0.1.11, and Anytype Desktop versions through 0.48.2. The vulnerability is scoped to localhost, affecting only the local gRPC server, which is not exposed to the local network or internet. Exploitation requires local user-level access, knowledge of the randomized listening port, and a running Anytype instance.
Impact
Bypassing the authentication challenge allows unauthorized access to the local gRPC client API.
Remediation
Users of Anytype Heart should update to version 0.48.4. Anytype Desktop users should update to version 0.54.5. Anytype CLI administrators should update to version 0.1.11.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.