Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
AnalysisAI
Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.
Technical ContextAI
Summarize (CPE: cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:*) is a browser extension and CLI tool by developer steipete. Browser extensions rely on content scripts injected into web page contexts, communicating with the extension background service worker via the window.postMessage API. The root cause is CWE-862 (Missing Authorization): the content script's postMessage bridge processes incoming runtime messages without verifying the origin, identity, or authenticity of the sender. Because any JavaScript running in the same tab can send window.postMessage calls, an attacker-controlled page can simulate legitimate internal extension messages by spoofing sender identifiers. The bridge then acts on these messages as if they originated from a trusted extension context, granting full access to automation artifact operations scoped to that tab. The flaw affects both the Chrome and Firefox extension packages.
RemediationAI
Update the Summarize browser extension to version 0.15.2, which contains the fix committed in 357544063af535bd574752622f9eb94be33ee5fd and released on 2026-05-17. Chrome users should install summarize-chrome-extension-v0.15.2.zip and Firefox users the corresponding v0.15.2 Firefox package, both available at https://github.com/steipete/summarize/releases/tag/v0.15.2. npm CLI users should upgrade to @steipete/summarize@0.15.2 and @steipete/summarize-core@0.15.2 (npm latest tag as of 2026-05-17). If immediate upgrade is not feasible, the only effective compensating control is to disable the Summarize extension entirely when browsing untrusted or public-facing sites; this eliminates extension functionality but removes the attack surface. No configuration-level setting is known to restrict postMessage processing selectively without patching, as the authorization gap is in the bridge itself.
Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint wri
Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local atta
Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys
Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to
Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or medi
Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coe
Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summa
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30794
GHSA-5624-2pmv-jx46