CVE-2026-45222

Summarize Insecure Daemon Configuration File Permissions

Assigner: VulnCheck
Reserved: 11.05.2026 Published: 11.05.2026 Updated: 11.05.2026

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 6.1

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	steipete
Product	summarize
Versions	Default: affected affected from 0 to 0.14.1 (incl.) Version 0cfb0fb99777a87a7b02082b5e4bd449f8dd6175 is unaffected

Vendor

steipete

Product

summarize

Versions

Default: affected

affected from 0 to 0.14.1 (incl.)
Version 0cfb0fb99777a87a7b02082b5e4bd449f8dd6175 is unaffected

Credits

Chia Min Jun Lennon finder

References

Problem Types