CVE-2026-45244
Analyzed Analyzed - Analysis Complete
Summarize Prior Extension Automation Authorization Bypass

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulnCheck

Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-45244
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
steipete summarize to 0.15.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how CVE-2026-45244 affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow attackers to perform automated browser actions on behalf of the user without their explicit consent for each action. This could lead to unauthorized navigation, manipulation, or debugging actions within the browser environment.

Such unauthorized actions may compromise user security and privacy by enabling attackers to control browser behavior through malicious content.

Executive Summary

The vulnerability exists in Summarize versions prior to 0.15.1 and involves a missing authorization check. This flaw allows attackers to execute browser automation actions without requiring user approval for each action when the extension's automation feature is enabled.

Attackers can manipulate the agent by using malicious page or summary content to trigger enabled automation tools such as navigation or debugger-backed actions. This bypasses the final user approval step that normally occurs when a user interacts with attacker-controlled content.

Detection Guidance

This vulnerability involves unauthorized execution of browser automation actions without per-call user approval when the extension automation feature is enabled. Detection would involve monitoring for unexpected or unauthorized automation tool calls triggered by attacker-controlled content.

Since the vulnerability is related to browser extension behavior, detection on a network or system level may require inspecting browser extension logs or monitoring browser automation tool invocations.

No specific commands or detection tools are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Summarize extension to version 0.15.1 or later, where the missing authorization issue has been fixed.

The fix introduces an explicit user confirmation prompt before executing any automation tool calls, preventing unauthorized or unexpected browser automation.

  • Update the Summarize extension to version 0.15.1 or newer.
  • Ensure the extension's automation feature is enabled only when necessary and users are aware of the security implications.
  • Verify that the extension prompts for user confirmation before executing automation actions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart