What is GHSA-qp7v-gjgg-4mj6?

GHSA-qp7v-gjgg-4mj6 is a security advisory published by GitHub Security Advisories with Medium severity. @steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json

Which CVE IDs does GHSA-qp7v-gjgg-4mj6 cover?

GHSA-qp7v-gjgg-4mj6 covers the following CVE IDs: CVE-2026-45222. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-qp7v-gjgg-4mj6?

GHSA-qp7v-gjgg-4mj6 has a CVSS v3 base score of 6.1, published by GitHub Security Advisories.

Which products are affected by GHSA-qp7v-gjgg-4mj6?

GHSA-qp7v-gjgg-4mj6 affects 1 product, including: npm/@steipete/summarize:\u003c 0.15.0.

GHSA-qp7v-gjgg-4mj6MediumCVSS 6.1

@steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45222 →

📋 Description

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json. A local attacker can exploit these permissive permissions to read the daemon bearer token and persisted provider credentials, enabling unauthorized access to the daemon or recovery of sensitive API keys.

🎯 Affected products1

npm/@steipete/summarize:< 0.15.0

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-45222
https://github.com/steipete/summarize/pull/214
https://github.com/steipete/summarize/commit/0cfb0fb99777a87a7b02082b5e4bd449f8dd6175
https://www.vulncheck.com/advisories/summarize-insecure-daemon-configuration-file-permissions
https://github.com/steipete/summarize/releases/tag/v0.15.0
https://github.com/advisories/GHSA-qp7v-gjgg-4mj6