CVE-2026-45246
6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| steipete | summarize | 0 < 0.15.1 | affected |
| steipete | summarize | 9e990193650a23dab73f37d5e1964d574a44098b | unaffected |
Weaknesses
- CWE-732: Incorrect Permission Assignment for Critical Resource
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/steipete/summarize/releases/tag/v0.15.2
- https://github.com/steipete/summarize/pull/217
- https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b
- https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.