Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.
AnalysisAI
Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.
Technical ContextAI
Summarize is an AI-powered browser extension and CLI tool (CPE: cpe:2.3:a:steipete:summarize) that processes web page and document content through an AI agent and exposes optional extension automation capabilities including browser navigation and Chrome DevTools Protocol (debugger-backed) actions. The root cause is CWE-862 (Missing Authorization): when the extension automation feature is enabled, the system feeds page or summary content into the agent without escaping content delimiters, creating a prompt injection pathway. Attacker-controlled content can embed instructions that cause the agent to invoke automation tools, bypassing the per-call approval gate that is supposed to require explicit user consent before each automation action executes. The v0.15.2 fix explicitly addresses this by escaping untrusted prompt context and content delimiters (per release notes: 'Core prompts: escape untrusted prompt context/content delimiters'), confirming that insufficient input sanitization upstream of the authorization check was the mechanism of bypass.
RemediationAI
Upgrade to Summarize v0.15.2 or later, which includes the fix for untrusted prompt context and content delimiter escaping introduced in commit e64fe3ecd1bb4fdc181dcfa88c96b9e1914ced0e via PR https://github.com/steipete/summarize/pull/219. The patched npm packages @steipete/summarize@0.15.2 and @steipete/summarize-core@0.15.2 are available at their respective npm registry URLs as of 2026-05-17. The release is available at https://github.com/steipete/summarize/releases/tag/v0.15.2 for both Chrome and Firefox extension distributions. As a compensating control prior to upgrading, explicitly disabling the extension automation feature eliminates the attack surface entirely, since this feature must be enabled for exploitation - the trade-off is loss of all browser automation functionality including navigation and debugger-backed actions. No other workarounds are identified from available data.
Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint wri
Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local atta
Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys
Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to
Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or medi
Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any maliciou
Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coe
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30796
GHSA-67gq-6q8c-qqh6