Missing Authorization in Summarize Browser Extension by Steipete
CVE-2026-45243

5.3MEDIUM

Key Information:

Vendor

Steipete

Status
Summarize
Vendor
CVE Published:
18 May 2026

What is CVE-2026-45243?

A missing authorization vulnerability has been identified in the Summarize browser extension, affecting versions prior to 0.15.1. This flaw allows attackers to exploit the content script window.postMessage bridge, enabling unauthorized operations on automation artifacts. By simulating runtime messages with spoofed sender identifiers, malicious actors can list, read, create, overwrite, or delete automation artifacts scoped to the affected tab, circumventing necessary authorization checks. This exposes users to potential misuse of their automation functionalities.

Affected Version(s)

summarize 0

summarize 0 < 0.15.1

summarize 357544063af535bd574752622f9eb94be33ee5fd

References

https://github.com/steipete/summarize/releases/tag/v0.15.2
release-notes
https://github.com/steipete/summarize/pull/222
issue-tracking
https://github.com/steipete/summarize/commit/357544063af5...
patch

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.