CVE-2026-45243
Summarize prior to 0.15.1 Missing Authorization in Content Script
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steipete | summarize | to 0.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Summarize versions prior to 0.15.1 and involves a missing authorization check in the content script window.postMessage bridge.
It allows malicious web pages to perform unauthorized operations on automation artifacts by simulating runtime messages with spoofed sender identifiers.
As a result, attackers can list, read, create, overwrite, or delete automation artifacts scoped to the affected browser tab without proper authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and manipulation of automation artifacts within the affected tab.
Attackers could potentially view sensitive information, modify or delete important automation data, or create malicious artifacts, which could disrupt normal operations or lead to further exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized operations via the content script's window.postMessage bridge in the Summarize browser extension prior to version 0.15.1. Detection would involve monitoring for suspicious or spoofed runtime messages targeting automation artifacts within affected tabs.
Since the vulnerability exploits window.postMessage events from web pages to the extension, you can detect potential exploitation by inspecting messages sent to the extension or unusual activity in browser automation artifacts.
However, no specific detection commands or network signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Summarize browser extension to version 0.15.1 or later, which includes the security fix addressing this vulnerability.
The fix involves stricter access controls on the automation artifacts bridge, ensuring that only explicitly armed tabs can perform artifact operations, and removing the legacy page-visible artifact bridge that allowed unauthorized message passing.
- Update the Summarize extension to version 0.15.1 or newer.
- Avoid using or installing vulnerable versions of the extension.
- Monitor for suspicious activity related to automation artifacts if updating immediately is not possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows malicious web pages to perform unauthorized operations on automation artifacts within the affected browser extension, potentially exposing sensitive extension-managed state to untrusted webpage content.
Such unauthorized access and manipulation of data could lead to violations of data protection principles required by standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.
By allowing attackers to list, read, create, overwrite, or delete automation artifacts without proper authorization, the vulnerability undermines confidentiality and integrity safeguards that are critical for compliance.
Therefore, if the automation artifacts contain personal or sensitive data, this vulnerability could negatively impact compliance with these regulations by enabling unauthorized data access and modification.