Skip to main content

Summarize CVE-2026-45242

| EUVDEUVD-2026-30797 HIGH
Missing Authorization (CWE-862)
2026-05-18 VulnCheck GHSA-8jr4-6r33-phwm
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 19:30 vuln.today
Analysis Generated
May 18, 2026 - 19:30 vuln.today

DescriptionCVE.org

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.

AnalysisAI

Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.

Technical ContextAI

Summarize is a JavaScript/Node.js CLI and daemon distributed via npm as @steipete/summarize (and @steipete/summarize-core) that converts content into slide artifacts. The vulnerable code path is the daemon's /v1/summarize HTTP endpoint, which accepts a slidesDir parameter and uses it as the output directory for slide_*.png images and slides.json without validating that the supplied value is constrained to an expected base directory. This is a classic CWE-862 (Missing Authorization) on the path parameter - the endpoint authenticates the caller but does not authorize what filesystem locations they may target - resulting in path traversal via absolute paths or ../ sequences. The v0.15.2 release notes confirm the fix rejects traversal and symlinked cache image paths while still permitting valid child paths that legitimately begin with dot-dot text.

RemediationAI

Vendor-released patch: upgrade to @steipete/summarize and @steipete/summarize-core version 0.15.2 or later (npm latest as of 2026-05-17), which rejects traversal and symlinked cache image paths in the slides handler per the release notes and the fix commit ec8efd63295656fbfe8743620179c489bc5a242f (PR #220). Where immediate upgrade is not possible, bind the daemon to loopback only and firewall the /v1/summarize endpoint so only trusted local processes can reach it (trade-off: blocks legitimate remote daemon clients), run the daemon as a dedicated unprivileged user with a restrictive umask and no write access outside its intended slide output directory to limit the blast radius of arbitrary writes/deletes, and rotate any shared daemon authentication tokens that low-privileged users could currently use. Refer to https://github.com/steipete/summarize/releases/tag/v0.15.2 and the VulnCheck advisory for authoritative guidance.

Share

CVE-2026-45242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy