CVE-2026-59704
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
07/07/2026
Last modified:
10/07/2026
Description
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
7.10
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/CapSoftware/Cap
- https://github.com/CapSoftware/Cap/commit/8d48642b6e7938af238386383ef1c273be4110dd
- https://github.com/CapSoftware/Cap/issues/1981
- https://github.com/CapSoftware/Cap/pull/1926
- https://www.vulncheck.com/advisories/cap-missing-access-control-in-video-ai-metadata-endpoint
- https://github.com/CapSoftware/Cap/issues/1981



