CVE-2026-59704
Cap - Missing Access Control in Video AI Metadata Endpoint
Sem sinal de exploração. Nenhum artefato público de exploração conhecido até agora.
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
07 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
Cap · CapReferências
https://github.com/CapSoftware/Caphttps://github.com/CapSoftware/Cap/commit/8d48642b6e7938af238386383ef1c273be4110ddhttps://github.com/CapSoftware/Cap/issues/1981https://github.com/CapSoftware/Cap/pull/1926https://www.vulncheck.com/advisories/cap-missing-access-control-in-video-ai-metadata-endpoint