CVE-2026-45222

Description

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Summarize <= 0.14.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC: Check if Summarize daemon config is world-readable
CONFIG_FILE="$HOME/.summarize/daemon.json"

if [ -f "$CONFIG_FILE" ]; then
    # Get file permissions in octal format
    PERMS=$(stat -c "%a" "$CONFIG_FILE" 2>/dev/null)
    echo "[+] Found configuration file: $CONFIG_FILE"
    echo "[+] Current permissions: $PERMS"

    # Check if file is readable by others (permission 4 in the last digit)
    # e.g., 644 -> readable by others
    LAST_DIGIT=${PERMS: -1}
    if [ "$LAST_DIGIT" -ge 4 ]; then
        echo "[!] VULNERABLE: File is readable by others!"
        echo "[!] Content of the file:"
        cat "$CONFIG_FILE"
    else
        echo "[.] File permissions seem secure (not world-readable)."
    fi
else
    echo "[-] Configuration file not found at $CONFIG_FILE"
fi

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45222
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45222
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45222/
[4] VulDB https://vuldb.com/cve/CVE-2026-45222
[5] https://github.com/steipete/summarize/commit/0cfb0fb99777a87a7b02082b5e4bd449f8dd6175
[6] https://github.com/steipete/summarize/pull/214
[7] https://www.vulncheck.com/advisories/summarize-insecure-daemon-configuration-file-permissions
[8] https://github.com/steipete/summarize/pull/214

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45222", "sourceIdentifier": "[email protected]", "published": "2026-05-11T19:16:27.313", "lastModified": "2026-05-11T20:25:47.227", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://github.com/steipete/summarize/commit/0cfb0fb99777a87a7b02082b5e4bd449f8dd6175", "source": "[email protected]"}, {"url": "https://github.com/steipete/summarize/pull/214", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/summarize-insecure-daemon-configuration-file-permissions", "source": "[email protected]"}, {"url": "https://github.com/steipete/summarize/pull/214", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}