CVE-2026-45246

MEDIUM 5.5

Summarize < 0.15.1 Insecure File Permissions Information Disclosure

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.

CWE	CWE-732
Vendor	steipete
Product	summarize
Published	May 18, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for steipete summarize

Be the first to know when new medium vulnerabilities affecting steipete summarize are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

steipete / summarize

0 < 0.15.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/steipete/summarize/releases/tag/v0.15.2 github.com: https://github.com/steipete/summarize/pull/217 github.com: https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b vulncheck.com: https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure

Credits

Chia Min Jun Lennon