CVE-2026-45243 Overview
CVE-2026-45243 is a missing authorization vulnerability [CWE-862] in the Steipete Summarize browser extension prior to version 0.15.1. The flaw resides in the content script window.postMessage bridge, which fails to validate the origin and authenticity of incoming messages. Malicious web pages can forge runtime messages with spoofed sender identifiers to interact with automation artifacts scoped to the affected browser tab. Attackers can list, read, create, overwrite, or delete these artifacts without authorization checks. The vulnerability requires user interaction, such as visiting a malicious page while the extension is installed.
Critical Impact
Malicious web pages can manipulate automation artifacts in the victim's browser tab, leading to unauthorized data access, tampering, or deletion through forged postMessage events.
Affected Products
- Steipete Summarize browser extension versions prior to 0.15.1
- Chrome extension component apps/chrome-extension
- Automation artifacts bridge in the content script runtime
Discovery Timeline
- 2026-05-18 - CVE-2026-45243 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45243
Vulnerability Analysis
The Summarize extension exposes an automation artifacts bridge through a content script that listens for window.postMessage events. The bridge is intended to relay messages between the page context and the extension background runtime. However, the content script accepts messages without verifying the sender identity or the message origin.
Attackers craft messages that mimic legitimate runtime traffic by populating spoofed sender identifier fields. The extension processes these messages and executes automation operations, including listing existing artifacts, reading their contents, creating new artifacts, overwriting existing data, or deleting stored artifacts. All operations occur within the scope of the active tab where the malicious page is loaded.
Root Cause
The root cause is the absence of authorization gating on the postMessage bridge. The content script trusts message payloads at face value, relying on caller-supplied identifiers rather than enforcing that automation operations originate from a privileged, armed tab context. The fix introduces an explicit arming mechanism through ArtifactsArmMessage and a withArtifactsArmedTab guard.
Attack Vector
An attacker hosts a malicious web page that the victim visits while the vulnerable extension is installed and active. The page issues forged window.postMessage calls targeting the extension's content script. No authentication or extension-level interaction beyond visiting the page is required.
// Patch from apps/chrome-extension/src/automation/native-input-guard.ts
enabled: boolean;
};
+export type ArtifactsArmMessage = {
+ type: "automation:artifacts-arm";
+ tabId: number;
+ enabled: boolean;
+};
+
+export function updateArmedTabs(args: {
armedTabs: Set<number>;
senderHasTab: boolean;
tabId?: number;
Source: GitHub Commit 3575440
// Patch from apps/chrome-extension/src/automation/repl.ts
parseArtifact,
upsertArtifact,
} from "./artifacts-store";
-import { withNativeInputArmedTab } from "./native-input-guard";
+import { withArtifactsArmedTab, withNativeInputArmedTab } from "./native-input-guard";
import { executeNavigateTool } from "./navigate";
import { listSkills } from "./skills-store";
Source: GitHub Commit 3575440. The patch wraps artifact REPL operations with withArtifactsArmedTab, ensuring only explicitly armed tabs can invoke artifact operations.
Detection Methods for CVE-2026-45243
Indicators of Compromise
- Unexpected automation:artifacts-* postMessage traffic originating from untrusted web origins in browser console logs.
- Unexplained creation, modification, or deletion of automation artifacts in the Summarize extension storage.
- Browser extension event logs showing artifact operations not tied to user-initiated actions.
Detection Strategies
- Inventory installed browser extensions across managed endpoints and flag Summarize installations below version 0.15.1.
- Monitor extension storage changes through enterprise browser management telemetry where available.
- Correlate visits to untrusted domains with anomalous extension activity for users running the vulnerable version.
Monitoring Recommendations
- Track browser extension version inventory through endpoint management tooling and alert on outdated Summarize installations.
- Review web proxy logs for users accessing untrusted sites while running affected extension versions.
- Enable browser audit logging where supported to capture content script messaging anomalies.
How to Mitigate CVE-2026-45243
Immediate Actions Required
- Upgrade Steipete Summarize to version 0.15.2 or later, which incorporates the artifacts bridge guard from pull request #222.
- Audit existing automation artifacts for unauthorized modifications or unexpected entries.
- Restrict installation of the affected extension to trusted users until patching is complete.
Patch Information
The fix is committed in GitHub commit 3575440 and shipped in release v0.15.2. The patch introduces an ArtifactsArmMessage type and a withArtifactsArmedTab guard that requires explicit arming of a tab before artifact operations are accepted. Additional details are available in the VulnCheck Security Advisory.
Workarounds
- Disable or remove the Summarize extension until the upgrade to 0.15.2 is deployed.
- Avoid browsing untrusted websites while the vulnerable extension version remains active.
- Apply enterprise browser policies that block installation of extension versions below 0.15.1.
# Verify installed extension version on Chromium-based browsers (macOS example)
grep -R '"version"' "$HOME/Library/Application Support/Google/Chrome/Default/Extensions" \
| grep -i summarize
# Enforce minimum version via Chrome enterprise policy (ExtensionSettings)
# {
# "<extension-id>": {
# "installation_mode": "force_installed",
# "minimum_version_required": "0.15.2"
# }
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
