Nixpkgs security tracker

Untriaged

Permalink CVE-2026-31863

3.6 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart

Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5.

References

https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v x_refsource_CONFIRM

Affected products

anytype-ts

==< 0.54.5

anytype-cli

==< 0.1.11

anytype-heart

==< 0.48.4

Matching in nixpkgs

pkgs.anytype-heart

Shared library for Anytype clients

nixos-unstable 0.48.1
- nixpkgs-unstable 0.48.1
- nixos-unstable-small 0.48.4
nixos-25.11 0.44.0-nightly.20251220.1
- nixos-25.11-small 0.44.0-nightly.20251220.1
- nixpkgs-25.11-darwin 0.44.0-nightly.20251220.1

Package maintainers

@kira-bruneau Kira Bruneau <kira.bruneau@pm.me>
@adda0 David Chocholatý <chocholaty.david@protonmail.com>
@autrimpo Michal Koutenský <michal@koutensky.net>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.anytype-heart

Package maintainers