Compliance Impact

CVE-2026-45222 allows local attackers to read sensitive bearer tokens and API credentials due to insecure default filesystem permissions on Unix-like systems. This unauthorized access to sensitive data could potentially lead to violations of data protection standards and regulations that require safeguarding of sensitive information, such as GDPR and HIPAA.

Specifically, the exposure of authentication tokens and API keys may result in unauthorized access to protected systems or data, which conflicts with compliance requirements for confidentiality and access control mandated by these regulations.

The vulnerability highlights the importance of enforcing strict file permissions to protect sensitive credentials, which is a common security control expected under standards like GDPR and HIPAA to prevent unauthorized data disclosure.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45222 is a medium-severity vulnerability in the Summarize software versions up to 0.14.1. The issue arises because the daemon configuration directory and file are created with default filesystem permissions that may be world-readable on Unix-like systems.

This misconfiguration allows local attackers to read sensitive information such as bearer tokens and API credentials stored in the file ~/.summarize/daemon.json. By exploiting these permissive permissions, an attacker with local access can gain unauthorized access to the daemon or recover sensitive API keys.

Useful 0 Not Useful 0

Impact Analysis

If you are running a vulnerable version of Summarize on a Unix-like system, local users on the same machine could read sensitive credentials stored in the daemon configuration files due to overly permissive file permissions.

This could lead to unauthorized access to the daemon, allowing attackers to interact with it as if they were legitimate users, or to recover sensitive API keys that could be used to access other services.

The impact is primarily confidentiality loss, as attackers can read secrets they should not have access to, potentially leading to further compromise depending on the use of those credentials.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the filesystem permissions of the daemon configuration directory and file located at ~/.summarize/daemon.json on Unix-like systems.

Specifically, you should verify if the directory ~/.summarize has permissions more permissive than 0700 and if the daemon.json file has permissions more permissive than 0600, as these loose permissions allow other local users to read sensitive bearer tokens and API credentials.

• Run the command: ls -ld ~/.summarize
• Run the command: ls -l ~/.summarize/daemon.json

If the directory permissions are not 700 or the file permissions are not 600, the system is vulnerable to this issue.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should restrict the filesystem permissions of the daemon configuration directory and file to owner-only access.

• Set the directory ~/.summarize permissions to 700 using: chmod 700 ~/.summarize
• Set the daemon.json file permissions to 600 using: chmod 600 ~/.summarize/daemon.json

Additionally, update the Summarize software to a version that includes the fix (commit 0cfb0fb or later), which enforces these restrictive permissions automatically and repairs existing loose permissions.

Useful 0 Not Useful 0