Description
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
Published: 2026-05-18
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Summarize prior to 0.15.1 contains an insecure file permission flaw that occurs during the refresh‑free configuration rewrite; the tool creates a replacement file using the default process umask rather than preserving the original permissions, resulting in the configuration file which stores API keys and provider credentials being readable by any local user on a shared Unix‑like system, thereby disclosing sensitive credentials

Affected Systems

Affected product is the open‑source tool Summarize from steipete; all versions older than 0.15.1 are vulnerable, and the flaw applies to any Unix‑style platform where the tool runs

Risk and Exploitability

The vulnerability has a CVSS score of 6.8 and is not listed in the CISA KEV catalog; the EPSS score is not available, so exploitation probability cannot be quantified, but because the attack vector requires local user access, any local user on a shared system could read the configuration file and gain secrets, presenting a moderate to high risk if multiple users share the same environment

Generated by OpenCVE AI on May 18, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Summarize to version 0.15.2 or later, ensuring the correct file permissions are applied during configuration rewrite.
  • Verify that the resulting configuration file is owned by the intended user and has permissions set to 0600 or equivalent so that other local users cannot read it.
  • Implement an administrative policy to audit file permissions on configuration files regularly, and consider applying an immutable flag or ACL to lock down these files against inadvertent changes.

Generated by OpenCVE AI on May 18, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Steipete
Steipete summarize
Vendors & Products Steipete
Steipete summarize

Mon, 18 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.
Title Summarize < 0.15.1 Insecure File Permissions Information Disclosure
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Steipete Summarize
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T19:03:34.753Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-18T20:16:38.823

Modified: 2026-05-18T20:19:31.307

Link: CVE-2026-45246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T20:30:05Z

Weaknesses