CVE-2026-45244

Analyzed Analyzed - Analysis Complete

Summarize Prior Extension Automation Authorization Bypass

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulnCheck

Description

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-18

Last Modified

2026-05-19

Generated

2026-06-30

AI Q&A

2026-05-19

EPSS Evaluated

2026-06-28

NVD

CVE-2026-45244

Affected Vendors & Products

Vendor	Product	Version / Range
steipete	summarize	to 0.15.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

Compliance Impact

The provided information does not explicitly address how CVE-2026-45244 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves unauthorized execution of browser automation actions without per-call user approval when the extension automation feature is enabled. Detection would involve monitoring for unexpected or unauthorized automation tool calls triggered by attacker-controlled content.

Since the vulnerability is related to browser extension behavior, detection on a network or system level may require inspecting browser extension logs or monitoring browser automation tool invocations.

No specific commands or detection tools are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Summarize extension to version 0.15.1 or later, where the missing authorization issue has been fixed.

The fix introduces an explicit user confirmation prompt before executing any automation tool calls, preventing unauthorized or unexpected browser automation.

Update the Summarize extension to version 0.15.1 or newer.
Ensure the extension's automation feature is enabled only when necessary and users are aware of the security implications.
Verify that the extension prompts for user confirmation before executing automation actions.

Impact Analysis

This vulnerability can allow attackers to perform automated browser actions on behalf of the user without their explicit consent for each action. This could lead to unauthorized navigation, manipulation, or debugging actions within the browser environment.

Such unauthorized actions may compromise user security and privacy by enabling attackers to control browser behavior through malicious content.

Executive Summary

The vulnerability exists in Summarize versions prior to 0.15.1 and involves a missing authorization check. This flaw allows attackers to execute browser automation actions without requiring user approval for each action when the extension's automation feature is enabled.

Attackers can manipulate the agent by using malicious page or summary content to trigger enabled automation tools such as navigation or debugger-backed actions. This bypasses the final user approval step that normally occurs when a user interacts with attacker-controlled content.

Hi! I’m here to help you understand CVE-2026-45244. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70