CVE-2026-45243
Analyzed Analyzed - Analysis Complete
Summarize prior to 0.15.1 Missing Authorization in Content Script

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulnCheck

Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-45243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
steipete summarize to 0.15.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Summarize versions prior to 0.15.1 and involves a missing authorization check in the content script window.postMessage bridge.

It allows malicious web pages to perform unauthorized operations on automation artifacts by simulating runtime messages with spoofed sender identifiers.

As a result, attackers can list, read, create, overwrite, or delete automation artifacts scoped to the affected browser tab without proper authorization.

Detection Guidance

This vulnerability involves unauthorized operations via the content script's window.postMessage bridge in the Summarize browser extension prior to version 0.15.1. Detection would involve monitoring for suspicious or spoofed runtime messages targeting automation artifacts within affected tabs.

Since the vulnerability exploits window.postMessage events from web pages to the extension, you can detect potential exploitation by inspecting messages sent to the extension or unusual activity in browser automation artifacts.

However, no specific detection commands or network signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the Summarize browser extension to version 0.15.1 or later, which includes the security fix addressing this vulnerability.

The fix involves stricter access controls on the automation artifacts bridge, ensuring that only explicitly armed tabs can perform artifact operations, and removing the legacy page-visible artifact bridge that allowed unauthorized message passing.

  • Update the Summarize extension to version 0.15.1 or newer.
  • Avoid using or installing vulnerable versions of the extension.
  • Monitor for suspicious activity related to automation artifacts if updating immediately is not possible.
Compliance Impact

The vulnerability allows malicious web pages to perform unauthorized operations on automation artifacts within the affected browser extension, potentially exposing sensitive extension-managed state to untrusted webpage content.

Such unauthorized access and manipulation of data could lead to violations of data protection principles required by standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

By allowing attackers to list, read, create, overwrite, or delete automation artifacts without proper authorization, the vulnerability undermines confidentiality and integrity safeguards that are critical for compliance.

Therefore, if the automation artifacts contain personal or sensitive data, this vulnerability could negatively impact compliance with these regulations by enabling unauthorized data access and modification.

Impact Analysis

The vulnerability can lead to unauthorized access and manipulation of automation artifacts within the affected tab.

Attackers could potentially view sensitive information, modify or delete important automation data, or create malicious artifacts, which could disrupt normal operations or lead to further exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart