CVE-2026-45244
MEDIUMSummarize < 0.15.1 Unapproved Browser Automation Execution
Title source: cnaDescription
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/steipete/summarize/releases/tag/v0.15.2
Issue Tracking issue-tracking
https://github.com/steipete/summarize/pull/219
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/summarize-unapproved-browser-automation-execution
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (3)
steipete/summarize
< 0.15.1 (2 CPE variants)
steipete/summarize
0 - 0.15.0npm
steipete/summarize
e64fe3ecd1bb4fdc181dcfa88c96b9e1914ced0e
Published
May 18, 2026
Tracked Since
May 19, 2026