CVEFinder.io

CVE-2026-45246

🔶 medium
🔍 Scan for this CVE
Summary

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on sha

Description

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.

CVSS Score
5.5
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-18
First Seen: 2026-05-19
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 32.6% of all 321,566 vulnerabilities in our database.

#216,619
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 18, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Chia Min Jun Lennon
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Vector 4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-732

📦 Affected Products 1

Vendor Product Status Affected Versions
steipete summarize Affected
< 0.15.1

🔗 References 4

https://github.com/steipete/summarize/commit/9e99019...
Patch
https://github.com/steipete/summarize/pull/217
Exploit Issue Tracking Patch
https://github.com/steipete/summarize/releases/tag/v...
Release Notes
https://www.vulncheck.com/advisories/summarize-insec...
Third Party Advisory

🔗 Related CVEs 4

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45242 ⚠️ high 7.1 0.1 Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authe... 2026-05-18
CVE-2026-45243 🔶 medium 6.1 0.0 Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge... 2026-05-18
CVE-2026-45244 🔶 medium 5.4 0.0 Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automa... 2026-05-18
CVE-2026-45245 ⚠️ high 7.4 0.0 Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch ... 2026-05-18
These CVEs affect the same products