๐Ÿ” CVE Alert

CVE-2026-59704

HIGH 7.1

Cap - Missing Access Control in Video AI Metadata Endpoint

CVSS Score
7.1
EPSS Score
0.2%
EPSS Percentile
12th

Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.

CWE CWE-862
Vendor cap
Product cap
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for cap cap

Be the first to know when new high vulnerabilities affecting cap cap are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

Cap / Cap
0 โ‰ค 8d48642

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/CapSoftware/Cap/issues/1981 github.com: https://github.com/CapSoftware/Cap github.com: https://github.com/CapSoftware/Cap/commit/8d48642b6e7938af238386383ef1c273be4110dd vulncheck.com: https://www.vulncheck.com/advisories/cap-missing-access-control-in-video-ai-metadata-endpoint github.com: https://github.com/CapSoftware/Cap/pull/1926

Credits

๐Ÿ” George Chen