CVE-2026-45246
Insecure File Permissions in Summarize Prior to 0.15.1 Allow Credential Exposure
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steipete | summarize | to 0.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized local users gaining access to sensitive credentials stored in the configuration file.
This exposure can compromise API keys and provider credentials, potentially allowing attackers to misuse these credentials for unauthorized actions or access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the file permissions of the configuration files used by the summarize tool, specifically the ~/.summarize/config.json file and the ~/.summarize directory on Unix-like systems.
If the permissions are too permissive (e.g., readable by other local users), it indicates the system is vulnerable.
- Use the command `ls -l ~/.summarize/config.json` to check the permissions of the config file.
- Use the command `ls -ld ~/.summarize` to check the permissions of the directory containing the config file.
- Look for permissions that are more open than 0600 for files or 0700 for directories, which would indicate exposure to other local users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the summarize tool to version 0.15.1 or later where the issue is fixed.
The fix ensures that the ~/.summarize directory is created with 0700 permissions and the configuration files are created and maintained with 0600 permissions, restricting access to the owner only.
If updating immediately is not possible, manually restrict permissions on the configuration directory and files by running:
- `chmod 700 ~/.summarize`
- `chmod 600 ~/.summarize/config.json`
These steps will help prevent other local users from reading sensitive credentials until the official fix can be applied.
Can you explain this vulnerability to me?
This vulnerability exists in Summarize versions prior to 0.15.1 and involves insecure file permissions during the refresh-free configuration rewrite process.
When the configuration file is rewritten, the replacement file is created with default process umask permissions instead of preserving the original file permissions.
This behavior allows local users on shared Unix-like systems to read sensitive credentials such as API keys and provider credentials that are stored in the configuration file.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local users on shared Unix-like systems to read sensitive credentials such as API keys and provider credentials due to insecure file permissions during the refresh-free configuration rewrite path.
Exposure of sensitive credentials can lead to unauthorized access to protected data or systems, which may violate data protection requirements in standards and regulations like GDPR and HIPAA that mandate safeguarding sensitive information.
Therefore, this vulnerability could negatively impact compliance by failing to adequately protect sensitive configuration data, potentially leading to unauthorized disclosure of personal or protected health information if those credentials are used to access such data.