PatchSiren cyber security CVE debrief
CVE-2026-45222 steipete CVE debrief
CVE-2026-45222 debrief: Summarize versions through 0.14.1 creates daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. This vulnerability enables unauthorized access to the daemon or recovery of sensitive API keys. Users of Summarize versions through 0.14.1 on Unix-like systems should verify their daemon configuration directory and file permissions to prevent unauthorized access.
- Vendor
- steipete
- Product
- summarize
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-07-14
Who should care
Users of Summarize versions through 0.14.1 on Unix-like systems should verify their daemon configuration directory and file permissions to prevent unauthorized access. This includes operators, platform administrators, vulnerability management teams, and security teams who need to ensure the security of their systems.
Technical summary
The Summarize daemon configuration directory and file are created with default filesystem permissions that may be world-readable on Unix-like systems. This allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json, enabling unauthorized access to the daemon or recovery of sensitive API keys. The vulnerability affects Summarize versions through 0.14.1 and is fixed in commit 0cfb0fb.
Defensive priority
Medium priority due to local attack vector and potential for unauthorized access.
Recommended defensive actions
- Verify daemon configuration directory and file permissions
- Restrict access to ~/.summarize/daemon.json
- Monitor for suspicious activity
- Update to version with fixed permissions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on limited source detail, including CVE and NVD records, and a few source references. The CVE record was published on 2026-05-11T19:16:27.313Z and has not been modified since then. The NVD entry is currently Deferred. Limited source detail suggests verifying daemon configuration directory and file permissions to prevent unauthorized access.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-11T19:16:27.313Z and has not been modified since then. The NVD entry is currently Deferred.