Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 07 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent. | |
| Title | Cap - Missing Access Control in Video AI Metadata Endpoint | |
| First Time appeared |
Capnproto
Capnproto capnproto |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Capnproto
Capnproto capnproto |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-07T22:20:25.363Z
Reserved: 2026-07-06T15:31:46.187Z
Link: CVE-2026-59704
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T09:00:14Z
Weaknesses