CVE-2026-45222

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,9
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 6,1
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.

732

Incorrect Permission Assignment for Critical Resource

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Integrity Other
Potential Impacts:
Read Application Data Read Files Or Directories Gain Privileges Or Assume Identity Modify Application Data Other
Applicable Platforms
Technologies: Cloud Computing, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
https://github.com/steipete/summarize/pull/214
https://github.com/steipete/summarize/pull/214
https://github.com/steipete/summarize/commit/0cfb0fb99777a8…
https://github.com/steipete/summarize/commit/0cfb0fb99777a87a7b02082b5e4bd449f8…
https://github.com/steipete/summarize/pull/214
https://github.com/steipete/summarize/pull/214
https://www.vulncheck.com/advisories/summarize-insecure-dae…
https://www.vulncheck.com/advisories/summarize-insecure-daemon-configuration-fi…