Skip to main content

Summarize CVE-2026-45222

| EUVDEUVD-2026-29196 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-11 VulnCheck GHSA-qp7v-gjgg-4mj6
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 11, 2026 - 19:22 NVD
6.1 (MEDIUM) 6.9 (MEDIUM)
Source Code Evidence Fetched
May 11, 2026 - 19:00 vuln.today
Analysis Generated
May 11, 2026 - 19:00 vuln.today
CVE Published
May 11, 2026 - 18:00 nvd
MEDIUM 6.1

DescriptionCVE.org

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.

AnalysisAI

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Technical ContextAI

Summarize is a command-line tool that manages a daemon process storing authentication tokens and provider credentials in a configuration file. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource) - the application uses default filesystem permissions (0o644 or equivalent world-readable) when creating the ~/.summarize/daemon.json configuration file and its parent directory. On Unix-like systems, this allows any local user to read the file contents, exposing bearer tokens for daemon communication and plaintext API keys for integrated providers (e.g., OpenAI). The fix (commit 0cfb0fb) explicitly sets directory permissions to 0o700 (rwx------) and file permissions to 0o600 (rw-------), restricting read access to the file owner only. The patch also retroactively tightens permissions on existing files before rewriting secrets. On Windows and filesystems without POSIX mode support, the chmod operations fail gracefully without impacting functionality.

RemediationAI

Upgrade Summarize to the patched version released after commit 0cfb0fb. Users must upgrade their installations to apply the fix that explicitly sets directory and file permissions to 0o700 and 0o600 respectively. Immediate workaround for current installations: manually correct permissions on the daemon configuration directory and file with 'chmod 700 ~/.summarize && chmod 600 ~/.summarize/daemon.json' on Unix-like systems. This workaround restores confidentiality but does not address the underlying application logic - the daemon must still be restarted or the application updated for the fix to be automatically applied on future token writes. For systems that cannot immediately upgrade, restrict local user access to the system or disable the daemon feature if not required. Refer to https://github.com/steipete/summarize/pull/214 for patch details and https://www.vulncheck.com/advisories/summarize-insecure-daemon-configuration-file-permissions for the full advisory.

Share

CVE-2026-45222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy