CVE-2026-45246 steipete CVE debrief

Who should care

System administrators managing multi-user Unix-like environments where Summarize is deployed; security teams responsible for secrets management and credential exposure prevention; developers and DevOps engineers using Summarize for API operations who may have configuration files with embedded credentials; compliance officers concerned with unauthorized access to API keys and provider credentials on shared infrastructure.

Technical summary

The vulnerability stems from improper handling of file permissions during atomic configuration file replacement in Summarize's refresh-free rewrite mechanism. When rewriting configuration files, the application creates a temporary replacement file that inherits permissions from the process umask rather than explicitly setting restrictive permissions or preserving the original file's permission bits. On Unix-like systems with default or permissive umask values (such as 022 or 002), this results in configuration files being created with group or world-readable permissions (typically 644 or 664). Since Summarize configuration files contain sensitive authentication material including API keys and cloud provider credentials, this exposes critical secrets to any local user with filesystem access. The attack requires local access to a shared system where Summarize is installed, with low privileges sufficient to read files in the configuration directory. The confidentiality impact is rated high due to direct exposure of authentication credentials, while integrity and availability impacts are none. The vulnerability does not require user interaction and has low attack complexity.

Defensive priority

medium

Recommended defensive actions

• Upgrade Summarize to version 0.15.2 or later to remediate the insecure file permission vulnerability.
• If immediate patching is not possible, restrict access to the Summarize configuration directory using host-based access controls to limit exposure on multi-user systems.
• Audit file permissions on existing Summarize configuration files to ensure they are not world-readable, particularly on shared Unix-like systems.
• Monitor for unauthorized access attempts to Summarize configuration files containing API keys and provider credentials.

Evidence notes

The vulnerability description and technical details are sourced from the official NVD record and Vulncheck advisory. The affected version range (prior to 0.15.1) and fix version (0.15.2) are confirmed through the NVD CPE criteria and GitHub release notes. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) indicates local attack vector with low attack complexity, requiring low privileges and no user interaction, with high impact to confidentiality. The CWE-732 classification is provided by the disclosure source.

Official resources