Skip to main content

Summarize EUVDEUVD-2026-30794

| CVE-2026-45243 MEDIUM
Missing Authorization (CWE-862)
2026-05-18 VulnCheck GHSA-5624-2pmv-jx46
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 18, 2026 - 19:31 vuln.today
Analysis Generated
May 18, 2026 - 19:31 vuln.today
CVSS changed
May 18, 2026 - 19:22 NVD
6.1 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

AnalysisAI

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Technical ContextAI

Summarize (CPE: cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:*) is a browser extension and CLI tool by developer steipete. Browser extensions rely on content scripts injected into web page contexts, communicating with the extension background service worker via the window.postMessage API. The root cause is CWE-862 (Missing Authorization): the content script's postMessage bridge processes incoming runtime messages without verifying the origin, identity, or authenticity of the sender. Because any JavaScript running in the same tab can send window.postMessage calls, an attacker-controlled page can simulate legitimate internal extension messages by spoofing sender identifiers. The bridge then acts on these messages as if they originated from a trusted extension context, granting full access to automation artifact operations scoped to that tab. The flaw affects both the Chrome and Firefox extension packages.

RemediationAI

Update the Summarize browser extension to version 0.15.2, which contains the fix committed in 357544063af535bd574752622f9eb94be33ee5fd and released on 2026-05-17. Chrome users should install summarize-chrome-extension-v0.15.2.zip and Firefox users the corresponding v0.15.2 Firefox package, both available at https://github.com/steipete/summarize/releases/tag/v0.15.2. npm CLI users should upgrade to @steipete/summarize@0.15.2 and @steipete/summarize-core@0.15.2 (npm latest tag as of 2026-05-17). If immediate upgrade is not feasible, the only effective compensating control is to disable the Summarize extension entirely when browsing untrusted or public-facing sites; this eliminates extension functionality but removes the attack surface. No configuration-level setting is known to restrict postMessage processing selectively without patching, as the authorization gap is in the bridge itself.

Share

EUVD-2026-30794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy