PT-2026-41723 · Npm+1 · @Steipete/Summarize+1
Published
2026-05-18
·
Updated
2026-05-20
·
CVE-2026-45244
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Summarize versions prior to 0.15.1
Description
A missing authorization issue allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. By using malicious page or summary content, attackers can influence the agent to invoke enabled extension automation tools, such as navigation or debugger-backed actions, bypassing the final user approval step during interaction with attacker-controlled content.
Recommendations
Update to version 0.15.1 or later.
As a temporary workaround, disable the extension automation feature to prevent unauthorized browser automation actions.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Steipete/Summarize
Summarize