Anytype Heart's gRPC API client challenge verification can be bypassed on localhost
The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. Affected components: Anytype Desktop (all platforms) ≤ v0.48.2 Anytype-CLI (headless deployments) ≤ v0.1.9 Not affected: Anytype mobile apps (iOS, Android) - do not expose a local gRPC server Who is impacted: This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are …