CVE-2026-45244
5.4 MEDIUMSummarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions with...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| steipete | summarize |
Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45244
- [Patch]https://github.com/steipete/summarize/commit/e64fe3ecd1bb4fdc181dcfa88c96b9e1914ced0e
- [Patch]https://github.com/steipete/summarize/pull/219
- [Other]https://github.com/steipete/summarize/releases/tag/v0.15.2
- [Other]https://www.vulncheck.com/advisories/summarize-unapproved-browser-automation-execution
Related CVEs
Same vendor
- CVE-2026-45246 — Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows l... (5.5 MEDIUM)
- CVE-2026-45245 — Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseov... (7.4 HIGH)
- CVE-2026-45243 — Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows mali... (6.1 MEDIUM)
- CVE-2026-45242 — Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers ... (7.1 HIGH)
Same CWE
- CVE-2026-12105 — Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplicat...
- CVE-2026-53866 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators ... (8.1 HIGH)
- CVE-2026-53851 — OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite... (5.3 MEDIUM)
- CVE-2026-53850 — OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated caller... (5.5 MEDIUM)
- CVE-2026-53844 — OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated call... (6.5 MEDIUM)