← back
CVE-2026-59704highCWE-862

Cap - Missing Access Control in Video AI Metadata Endpoint

21Vexday Risk Score

No sign of exploitation. No public exploitation artifact known so far.

ssvc Trackcvss 7.1epss 0.2%
exploitation probability
0.2%top 88% of all CVEs
observed exploitation
nono source reports it
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Cap · Cap