Medium severity6.1NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-45222
CVE-2026-45222
Description
Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
7- Securing data centers in the agentic AI eraTenable Blog · May 13, 2026
- Your Purple Team Isn't Purple — It's Just Red and Blue in the Same RoomThe Hacker News · May 11, 2026
- Security teams are turning to AI to survive alert overloadHelp Net Security · May 11, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- Moving past bots vs. humansCloudflare Blog · Apr 21, 2026
- Project Glasswing and the Next Challenge for Defenders: Turning Faster Discovery into Faster ActionRapid7 Blog · Apr 20, 2026
- Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI ApplicationsCrowdStrike Blog