CVE-2026-45242: Missing Authorization in steipete summarize
Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.
AI Analysis
Technical Summary
The vulnerability CVE-2026-45242 in steipete summarize prior to version 0.15.1 is a path traversal issue in the /v1/summarize daemon endpoint. Authenticated callers can supply an absolute path or directory traversal sequence in the slidesDir parameter, enabling them to write slide_*.png and slides.json files to arbitrary writable directories and delete matching files by repeated extraction. This allows unauthorized file write and deletion operations outside the intended directory scope. The CVSS 4.0 base score is 7.1 (high severity), with network attack vector, low attack complexity, no user interaction, and high impact on integrity. No official patch or remediation level is currently documented.
Potential Impact
An authenticated attacker can write and delete files in arbitrary writable directories on the system running the vulnerable summarize service. This can lead to unauthorized modification or removal of files, potentially impacting system integrity or application behavior. The vulnerability does not indicate direct remote code execution or confidentiality impact but poses a significant integrity risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /v1/summarize endpoint to trusted authenticated users only and monitor for unusual file write or deletion activity related to slide_*.png and slides.json files. Avoid running the service with excessive file system permissions to limit potential damage.
CVE-2026-45242: Missing Authorization in steipete summarize
Description
Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-45242 in steipete summarize prior to version 0.15.1 is a path traversal issue in the /v1/summarize daemon endpoint. Authenticated callers can supply an absolute path or directory traversal sequence in the slidesDir parameter, enabling them to write slide_*.png and slides.json files to arbitrary writable directories and delete matching files by repeated extraction. This allows unauthorized file write and deletion operations outside the intended directory scope. The CVSS 4.0 base score is 7.1 (high severity), with network attack vector, low attack complexity, no user interaction, and high impact on integrity. No official patch or remediation level is currently documented.
Potential Impact
An authenticated attacker can write and delete files in arbitrary writable directories on the system running the vulnerable summarize service. This can lead to unauthorized modification or removal of files, potentially impacting system integrity or application behavior. The vulnerability does not indicate direct remote code execution or confidentiality impact but poses a significant integrity risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /v1/summarize endpoint to trusted authenticated users only and monitor for unusual file write or deletion activity related to slide_*.png and slides.json files. Avoid running the service with excessive file system permissions to limit potential damage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-11T14:14:49.613Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0b633fec166c07b0e6172f
Added to database: 5/18/2026, 7:06:39 PM
Last enriched: 5/18/2026, 7:21:44 PM
Last updated: 5/20/2026, 6:17:31 PM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.