PT-2026-39728 · Summarize · Summarize
Hinotoi-Agent
·
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-45222
CVSS v4.0
6.9
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Summarize versions prior to 0.14.1
Description
The software creates the daemon configuration directory and file using default filesystem permissions that may be world-readable on Unix-like systems. This allows local attackers to read the
~/.summarize/daemon.json file, which contains bearer tokens and persisted provider API credentials. By exploiting these permissive permissions, an attacker can gain unauthorized access to the daemon or recover sensitive API keys.Recommendations
Update to the version containing commit 0cfb0fb.
Exploit
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Summarize