CVE-2026-45244 Overview
CVE-2026-45244 is a missing authorization vulnerability [CWE-862] in the Steipete Summarize Chrome extension prior to version 0.15.2. The flaw allows attackers to invoke browser automation tools without the per-call user approval step when the extension automation feature is enabled. Attackers craft malicious page or summary content that influences the agent into executing enabled automation tools, including navigation and debugger-backed actions. Exploitation requires the user to interact with attacker-controlled content while the automation feature is active.
Critical Impact
An attacker-influenced agent can execute browser automation actions, including navigation and debugger-backed operations, bypassing the final user approval gate.
Affected Products
- Steipete Summarize Chrome extension versions prior to 0.15.1
- Component: steipete:summarize
- Fixed in release v0.15.2
Discovery Timeline
- 2026-05-18 - CVE-2026-45244 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45244
Vulnerability Analysis
The Summarize extension exposes an agent that can invoke automation tools such as page navigation and Chrome debugger-backed actions. When the extension automation feature is enabled, the agent loop executes tool calls without enforcing a per-invocation user confirmation. Malicious content embedded in a page or summary can steer the agent through prompt injection. The result is unauthorized invocation of automation tools triggered by content the user merely views.
The issue is classified as Missing Authorization [CWE-862]. The fix introduces a confirmToolCall step into the agent execution path so automation tool calls require explicit user approval before execution.
Root Cause
The root cause is the absence of an authorization checkpoint between tool selection and tool execution within the chat agent loop in apps/chrome-extension/src/entrypoints/sidepanel/chat-agent-loop.ts. Automation tool names returned by getAutomationToolNames() were passed to executeToolCall() without first prompting the user. Any agent decision influenced by untrusted page or summary content propagated directly to a privileged browser action.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts content containing instructions that the agent interprets as legitimate tool requests. When a user summarizes or interacts with the attacker-controlled page, the agent invokes automation tools without prompting. The attacker can chain navigation or debugger-backed operations to influence the user's browser session.
// Patch excerpt: chat-agent-loop.ts adds confirmToolCall import
chatController,
chatSession,
createStreamingAssistantMessage,
+ confirmToolCall,
executeToolCall,
getAutomationToolNames,
hasDebuggerPermission,
Source: GitHub Commit e64fe3e
// Patch excerpt: main.ts now imports ToolResultMessage for confirmation flow
-import type { Message, ToolCall } from "@mariozechner/pi-ai";
+import type { Message, ToolCall, ToolResultMessage } from "@mariozechner/pi-ai";
import { extractYouTubeVideoId } from "@steipete/summarize-core/content/url";
import MarkdownIt from "markdown-it";
import { executeToolCall, getAutomationToolNames } from "../../automation/tools";
Source: GitHub Commit e64fe3e
Detection Methods for CVE-2026-45244
Indicators of Compromise
- Unexpected navigation events originating from the Summarize extension while a summary or chat session is active.
- Chrome debugger API attach events tied to the Summarize extension without explicit user action.
- Summarize extension versions earlier than 0.15.2 installed in managed Chrome inventories.
Detection Strategies
- Inventory Chrome extensions across managed endpoints and flag installations of steipete/summarize below version 0.15.2.
- Monitor browser process telemetry for chrome.debugger attach calls and chrome.tabs navigation events correlated with extension activity.
- Review extension permission grants and identify endpoints where the automation feature is enabled.
Monitoring Recommendations
- Capture and review Chrome enterprise reporting events for extension-initiated network requests.
- Alert on installations of vulnerable Summarize versions through software inventory tooling.
- Correlate user-reported anomalous browser navigation with extension activity logs.
How to Mitigate CVE-2026-45244
Immediate Actions Required
- Upgrade the Summarize Chrome extension to version 0.15.2 or later on all endpoints.
- Disable the extension automation feature until the patched version is deployed.
- Audit managed Chrome environments for unauthorized installations of vulnerable Summarize versions.
Patch Information
The vendor released the fix in commit e64fe3e and shipped it in release v0.15.2. The patch introduces a confirmToolCall step requiring explicit user approval before any automation tool invocation. See the GitHub Pull Request #219 and GitHub Release v0.15.2. Additional context is published in the VulnCheck Security Advisory.
Workarounds
- Disable the extension automation feature in Summarize settings until upgrading.
- Restrict the extension's Chrome debugger permission via enterprise policy.
- Block installation of Summarize versions earlier than 0.15.2 using Chrome ExtensionSettings policy.
# Chrome enterprise policy example: force-update Summarize to patched version
# Place under ExtensionSettings policy (managed Chrome)
{
"<summarize-extension-id>": {
"installation_mode": "force_installed",
"update_url": "https://clients2.google.com/service/update2/crx",
"minimum_version_required": "0.15.2"
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
