Vulnerability Description
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Steipete | Summarize | < 0.15.1 |
Related Weaknesses (CWE)
References
- https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a4Patch
- https://github.com/steipete/summarize/pull/217ExploitIssue TrackingPatch
- https://github.com/steipete/summarize/releases/tag/v0.15.2Release Notes
- https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-informaThird Party Advisory
FAQ
What is CVE-2026-45246?
CVE-2026-45246 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default ...
How severe is CVE-2026-45246?
CVE-2026-45246 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45246?
Check the references section above for vendor advisories and patch information. Affected products include: Steipete Summarize.