CVE Catalog

CVE-2026-45246

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile - higher than 3% of all known CVEs

Summary

A vulnerability in Summarize prior to 0.15.1 involves insecure file permissions in the refresh-free configuration rewrite path. This causes the configuration file containing API keys and provider credentials to be created with default process umask permissions instead of preserving the original permissions, allowing local users to read sensitive data.

Risk Assessment

The risk is that local users on shared Unix-like systems can access the configuration file with credentials, potentially leading to leakage of confidential information and unauthorized access to resources.

Recommendation

Immediately update Summarize to version 0.15.1 or later, which fixes this vulnerability. Additionally, manually check and correct the configuration file permissions to ensure only authorized users have access.

Original NVD description (English source)

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS