CVE-2026-45246
Analyzed Analyzed - Analysis Complete
Insecure File Permissions in Summarize Prior to 0.15.1 Allow Credential Exposure

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulnCheck

Description
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-45246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
steipete summarize to 0.15.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized local users gaining access to sensitive credentials stored in the configuration file.

This exposure can compromise API keys and provider credentials, potentially allowing attackers to misuse these credentials for unauthorized actions or access.

Executive Summary

This vulnerability exists in Summarize versions prior to 0.15.1 and involves insecure file permissions during the refresh-free configuration rewrite process.

When the configuration file is rewritten, the replacement file is created with default process umask permissions instead of preserving the original file permissions.

This behavior allows local users on shared Unix-like systems to read sensitive credentials such as API keys and provider credentials that are stored in the configuration file.

Compliance Impact

The vulnerability allows local users on shared Unix-like systems to read sensitive credentials such as API keys and provider credentials due to insecure file permissions during the refresh-free configuration rewrite path.

Exposure of sensitive credentials can lead to unauthorized access to protected data or systems, which may violate data protection requirements in standards and regulations like GDPR and HIPAA that mandate safeguarding sensitive information.

Therefore, this vulnerability could negatively impact compliance by failing to adequately protect sensitive configuration data, potentially leading to unauthorized disclosure of personal or protected health information if those credentials are used to access such data.

Detection Guidance

This vulnerability can be detected by checking the file permissions of the configuration files used by the summarize tool, specifically the ~/.summarize/config.json file and the ~/.summarize directory on Unix-like systems.

If the permissions are too permissive (e.g., readable by other local users), it indicates the system is vulnerable.

  • Use the command `ls -l ~/.summarize/config.json` to check the permissions of the config file.
  • Use the command `ls -ld ~/.summarize` to check the permissions of the directory containing the config file.
  • Look for permissions that are more open than 0600 for files or 0700 for directories, which would indicate exposure to other local users.
Mitigation Strategies

To mitigate this vulnerability immediately, update the summarize tool to version 0.15.1 or later where the issue is fixed.

The fix ensures that the ~/.summarize directory is created with 0700 permissions and the configuration files are created and maintained with 0600 permissions, restricting access to the owner only.

If updating immediately is not possible, manually restrict permissions on the configuration directory and files by running:

  • `chmod 700 ~/.summarize`
  • `chmod 600 ~/.summarize/config.json`

These steps will help prevent other local users from reading sensitive credentials until the official fix can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart