Insecure File Permissions in Summarize Daemon Configuration on Unix-like Systems
CVE-2026-45222

6.9MEDIUM

Key Information:

Vendor: Steipete
Status: Summarize
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-45222?

The Summarize application exposes its daemon configuration file with overly permissive filesystem settings, particularly on Unix-like systems. Specifically, versions up to 0.14.1 allow local attackers to access the configuration directory and read sensitive information such as bearer tokens and API credentials stored in the file ~/.summarize/daemon.json. This flaw creates a significant risk, as malicious users can potentially exploit these permissions to gain unauthorized access to the daemon or extract sensitive API keys, undermining the security of the application.

Affected Version(s)

summarize 0 <= 0.14.1

summarize 0cfb0fb99777a87a7b02082b5e4bd449f8dd6175

References

https://github.com/steipete/summarize/pull/214

issue-tracking

https://github.com/steipete/summarize/commit/0cfb0fb99777...

patch

https://www.vulncheck.com/advisories/summarize-insecure-d...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 11, 2026

Credit

Chia Min Jun Lennon

CVE-2026-45222 Data

JSON

Steipete

What is CVE-2026-45222?

Affected Version(s)

References

CVSS V4

Timeline

Credit