CVE-2026-45244 steipete CVE debrief

Who should care

Organizations and users deploying the Summarize browser extension with automation features enabled; security teams monitoring browser extension attack surfaces; developers of AI-assisted browser tools implementing authorization controls for automation capabilities.

Technical summary

The Summarize browser extension prior to v0.15.1 fails to enforce per-call user authorization for extension automation actions when the automation feature is enabled. An attacker can craft malicious page content or summary content that influences the agent to invoke enabled automation tools—including navigation and debugger-backed actions—without triggering the expected final user approval step. This represents a CWE-862 (Missing Authorization) weakness. The attack requires user interaction with attacker-controlled content and the precondition that automation features are enabled. The vulnerability does not directly compromise confidentiality, integrity, or availability of the extension itself, but enables unauthorized automation execution with limited scope impact on system resources.

Defensive priority

LOW

Recommended defensive actions

• Upgrade Summarize to version 0.15.1 or later to remediate the missing authorization vulnerability
• Review and disable extension automation features if not required for operational use
• Implement content security policies to reduce exposure to attacker-controlled page content
• Monitor for unauthorized browser automation actions in extension logs
• Validate that user approval prompts are functioning correctly after patching

Evidence notes

CVE published 2026-05-18T20:16:38.390Z; modified 2026-05-19T01:34:45.673Z. NVD status: Analyzed. CVSS 4.0 vector confirms network attack vector with user interaction required. CPE indicates affected versions prior to 0.15.1.

Official resources