EUVD-2026-30796
GHSA-67gq-6q8c-qqh6
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.
AnalysisAI
Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today