CVE-2026-45246 Overview
CVE-2026-45246 is an insecure file permission vulnerability [CWE-732] in Steipete summarize prior to version 0.15.1. The flaw resides in the refresh-free configuration rewrite path, where the application creates a replacement configuration file using the default process umask instead of preserving the original file permissions. On shared Unix-like systems, this exposes the rewritten config file, including API keys and provider credentials, to other local users. Authenticated local users can read these credentials without elevated privileges. The issue was fixed in release v0.15.2.
Critical Impact
Local users on shared Unix-like hosts can read API keys and provider credentials stored in the rewritten summarize configuration file.
Affected Products
- Steipete summarize versions prior to 0.15.1
- Deployments on shared Unix-like systems where multiple local users have filesystem access
- Configurations storing API keys and provider credentials managed by the refresh-free rewrite path
Discovery Timeline
- 2026-05-18 - CVE-2026-45246 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45246
Vulnerability Analysis
The vulnerability stems from how summarize handles configuration rewrites in the refresh-free code path. When the application rewrites its configuration, it creates a new file using the process's default umask. The original file's restrictive permissions are not preserved across the rewrite operation.
On shared Unix-like systems, default umask values such as 022 produce world-readable files. The configuration file contains sensitive secrets, including API keys and third-party provider credentials. Any local user with shell access on the host can read these secrets without authentication to the application itself.
The attack does not require network access or user interaction. An attacker with a local account can wait for or trigger a configuration rewrite, then read the resulting file directly from disk.
Root Cause
The root cause is missing permission preservation in the file rewrite logic in src/refresh-free.ts. The rewrite path used writeFile and rename without calling chmod to restore the original permission bits, leaving the new file with default umask-derived permissions.
Attack Vector
Exploitation requires local access to the host running summarize. The attacker reads the rewritten configuration file directly from the filesystem and extracts plaintext credentials. No interaction with the summarize process itself is needed.
// Security patch in src/refresh-free.ts
// Source: https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b
-import { mkdir, readFile, rename, writeFile } from "node:fs/promises";
+import { chmod, mkdir, readFile, rename, writeFile } from "node:fs/promises";
import { homedir } from "node:os";
import { dirname, join } from "node:path";
import JSON5 from "json5";
The patch imports chmod so the rewrite path can explicitly restore the original file mode after writing the replacement, ensuring secrets remain readable only to the owning user.
Detection Methods for CVE-2026-45246
Indicators of Compromise
- Configuration files written by summarize with world-readable or group-readable mode bits, such as -rw-r--r--, in user home directories.
- Access to the summarize config path by user accounts other than the file owner in shell history or audit logs.
- Unexpected use of credentials or API keys originating from the summarize host outside normal application activity.
Detection Strategies
- Audit the summarize configuration file path under each user's home directory and compare the mode bits against an expected 0600 baseline.
- Enable Linux audit rules (auditd) on the summarize configuration directory to record open and read syscalls by non-owner UIDs.
- Inspect shell command logs for cat, less, or cp operations targeting the summarize config file from accounts that do not own the file.
Monitoring Recommendations
- Continuously monitor sensitive dotfiles and configuration directories for permission drift after application updates or upgrades.
- Forward filesystem and authentication telemetry from shared Unix hosts to a centralized logging platform for correlation with credential-abuse alerts.
- Rotate API keys on a defined cadence and alert on any usage of keys from unexpected source IPs or user agents.
How to Mitigate CVE-2026-45246
Immediate Actions Required
- Upgrade Steipete summarize to version 0.15.2 or later, which restores original file permissions during refresh-free rewrites.
- Rotate all API keys and provider credentials referenced in the summarize configuration, treating them as exposed on multi-user systems.
- Manually reset the configuration file mode to 0600 and verify the owning user is the only account with read access.
Patch Information
The fix is delivered in summarizev0.15.2, implemented in commit 9e990193650a23dab73f37d5e1964d574a44098b via pull request #217. The patch imports chmod in src/refresh-free.ts and applies the original file mode to the rewritten configuration. See the GitHub commit overview, the pull request discussion, the v0.15.2 release notes, and the VulnCheck advisory.
Workarounds
- Tighten the process umask to 0077 before launching summarize so newly created files default to owner-only permissions.
- Manually chmod 600 the configuration file after each rewrite until the upgrade is applied.
- Restrict shell access on hosts running summarize and avoid deploying it on multi-tenant Unix systems.
# Configuration example: harden umask and reset config permissions
umask 0077
chmod 600 "$HOME/.config/summarize/config.json"
stat -c '%a %U %n' "$HOME/.config/summarize/config.json"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
