Anytype, Authentication Bypass, CVE-2024-XXXXX (Critical)

Listen to this Post

The vulnerability exists in the challenge-based authentication for the local gRPC client API used by Anytype Desktop and Anytype-CLI. The gRPC server binds exclusively to 127.0.0.1 on a randomized port and normally requires a 4-digit code to authenticate any incoming request. However, due to improper validation in the authentication middleware, an attacker with local user-level access can bypass this code check entirely. By directly calling gRPC methods without providing the required challenge response, the server erroneously grants full access. The randomized port can be discovered through simple local network scans or by inspecting process listings (e.g., using `netstat` or lsof). Once the port is identified, an attacker can send crafted gRPC requests to perform any action that the Anytype user is authorized to do, including reading or modifying data. This flaw affects Anytype Desktop versions up to 0.48.2 and Anytype-CLI versions up to 0.1.9. Mobile applications (iOS, Android) are not vulnerable because they do not expose a local gRPC server. The attack vector is strictly local; the attacker must already have a user account on the machine. In headless deployments where administrators have misconfigured reverse proxies to expose the gRPC ports to external networks, the risk becomes remote. The issue was addressed in later releases by correcting the authentication logic. Users are advised to update to the latest versions to eliminate the risk.

dailycve form:

Platform: Anytype Desktop/CLI
Version: ≤0.48.2, ≤0.1.9
Vulnerability: gRPC auth bypass
Severity: Critical
date: 2024-04-15

Prediction: Patch 2024-05-01

What Undercode Say:

Analytics

Check installed versions
anytype --version
anytype-cli --version
Identify Anytype processes and listening ports
ps aux | grep anytype
netstat -tulpn | grep anytype
lsof -i -P -n | grep anytype
Test if gRPC port is responsive (example port 12345)
grpcurl -plaintext 127.0.0.1:12345 list

Exploit

Discover the randomized gRPC port (e.g., 54321)
ss -tulpn | grep anytype
Use grpcurl to list available services without authentication
grpcurl -plaintext 127.0.0.1:54321 list
Attempt to call a sensitive method (replace with actual service/method)
grpcurl -plaintext -d '{}' 127.0.0.1:54321 anytype.AccountService/ListAccounts
If successful, attacker can now perform actions without the 4-digit code

Protection

Update Anytype Desktop to the latest patched version
For Debian/Ubuntu (if installed via package manager)
sudo apt update && sudo apt upgrade anytype
For manual installs, download the latest release from the official website
For Anytype-CLI, update via package manager or direct download
Ensure reverse proxies do not expose gRPC ports externally
Example Nginx configuration to block external access:
location /grpc {
allow 127.0.0.1;
deny all;
}
Firewall rule to prevent accidental exposure (if ports are bound to 0.0.0.0)
sudo ufw deny from any to any port 54321 proto tcp

Impact

Successful exploitation allows an attacker with local access to fully control the Anytype application, including reading, modifying, or deleting user data. In headless setups with exposed ports, remote attackers could also compromise the system. The bypass undermines the 4-digit code security mechanism, leading to complete loss of confidentiality and integrity of Anytype data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top