Skip to main content

Summarize CVE-2026-45246

| EUVDEUVD-2026-30799 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-18 VulnCheck GHSA-cjvq-x32c-xrmv
6.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 18, 2026 - 20:22 NVD
5.5 (MEDIUM) 6.8 (MEDIUM)
Source Code Evidence Fetched
May 18, 2026 - 20:01 vuln.today
Analysis Generated
May 18, 2026 - 20:01 vuln.today

DescriptionCVE.org

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.

AnalysisAI

Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys and provider credentials to other local users on shared Unix-like systems. All versions prior to 0.15.1 (CPE: cpe:2.3:a:steipete:summarize) are affected via a specific code path - the refresh-free configuration rewrite - that creates replacement config files using the process default umask rather than preserving original file permissions. No public exploit code exists and this is not listed in the CISA KEV catalog; however, the high-confidentiality CVSS signal (C:H) reflects the real sensitivity of what is exposed (API keys, provider credentials) when Summarize is used on multi-user Unix environments.

Technical ContextAI

CWE-732 (Incorrect Permission Assignment for Critical Resource) describes the root cause precisely: when the refresh-free configuration rewrite path executes, it creates the new config file under the process's default umask rather than inheriting the permission mask of the file it replaces. On most Unix-like systems the default umask of 022 produces world-readable files (mode 0644), meaning any local user can open the configuration file and read its contents. The @steipete/summarize tool (npm packages @steipete/summarize and @steipete/summarize-core) stores API keys and provider credentials in this config file, making the permission leak directly exploitable for credential theft. The vulnerability is path-specific - it manifests only through the refresh-free rewrite code path, not necessarily all config write operations - which may limit exposure depending on how often that path is exercised.

RemediationAI

Upgrade to @steipete/summarize v0.15.2 (npm dist-tag latest, published 2026-05-17, integrity sha512-kW4SeT7UlHAypcuIyVO3sg/z9SwNRQkT9c52ElDEqqSUQUW9iJcQ2JLPV/o/3HzEazOrlSzCg9WUH1CooZ34FQ==) via 'npm install -g @steipete/summarize@latest' or equivalent. The upstream patch is commit 9e990193650a23dab73f37d5e1964d574a44098b (PR #217, https://github.com/steipete/summarize/pull/217); the release is tagged at https://github.com/steipete/summarize/releases/tag/v0.15.2. For systems that cannot upgrade immediately, set a restrictive umask (077) for the user account running Summarize before invoking the tool - this prevents world-readable file creation but must be applied per session or in the user's shell profile. Additionally, manually audit and restrict existing config files with 'chmod 600 ~/.config/summarize/config' (or equivalent path) and rotate any API keys or provider credentials that may have been exposed. The umask workaround has a trade-off: it affects all file creation in that shell session, not just Summarize, which may cause permission issues for other tools. Vendor advisory: https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure.

Share

CVE-2026-45246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy