CVE-2026-45246
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability in Summarize prior to 0.15.1 involves insecure file permissions in the refresh-free configuration rewrite path. This causes the configuration file containing API keys and provider credentials to be created with default process umask permissions instead of preserving the original permissions, allowing local users to read sensitive data.
Risk Assessment
The risk is that local users on shared Unix-like systems can access the configuration file with credentials, potentially leading to leakage of confidential information and unauthorized access to resources.
Recommendation
Immediately update Summarize to version 0.15.1 or later, which fixes this vulnerability. Additionally, manually check and correct the configuration file permissions to ensure only authorized users have access.
Original NVD description (English source)
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems.

