CVE-2026-45246
5.5 MEDIUMSummarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows l...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 5.5 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-732
Affected products
| Vendor | Product |
|---|---|
| steipete | summarize |
Description
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45246
- [Patch]https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b
- [Patch]https://github.com/steipete/summarize/pull/217
- [Other]https://github.com/steipete/summarize/releases/tag/v0.15.2
- [Other]https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure
Related CVEs
Same vendor
- CVE-2026-45245 — Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseov... (7.4 HIGH)
- CVE-2026-45244 — Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions with... (5.4 MEDIUM)
- CVE-2026-45243 — Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows mali... (6.1 MEDIUM)
- CVE-2026-45242 — Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers ... (7.1 HIGH)
Same CWE
- CVE-2026-53856 — OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly ... (5.5 MEDIUM)
- CVE-2026-0271 — A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to exec...
- CVE-2026-50570 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
- CVE-2026-26422 — clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation (8.4 HIGH)
- CVE-2026-50590 — In Mimecast Incydr before 2.6.0, arbitrary file access can occur (4.5 MEDIUM)