Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
Metrics
Affected Vendors & Products
References
History
Tue, 07 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent. | |
| Title | Cap - Missing Access Control in Video AI Metadata Endpoint | |
| First Time appeared |
Capnproto
Capnproto capnproto |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Capnproto
Capnproto capnproto |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-07T22:20:25.363Z
Reserved: 2026-07-06T15:31:46.187Z
Link: CVE-2026-59704
No data.
No data.
No data.
OpenCVE Enrichment
No data.