CVE-2026-59704
Received Received - Intake

Cap's AI Video Metadata Exposure via IDOR

Vulnerability report for CVE-2026-59704, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Cap's GET /api/video/ai endpoint, which fails to verify whether a user owns or is a member authorized to access certain video AI metadata. As a result, authenticated attackers can provide arbitrary video IDs to access private AI-generated content such as titles, summaries, and chapters that they should not see.

Additionally, attackers can trigger unauthorized AI generation processes that consume the video owner's credits without their consent.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive AI-generated video metadata, compromising privacy and confidentiality.

It can also result in financial impact or resource misuse, as attackers can trigger AI generation that consumes the video owner's credits without permission.

Compliance Impact

This vulnerability allows authenticated attackers to access private video AI metadata without proper validation of user ownership or membership. This unauthorized access to sensitive AI-generated content could lead to exposure of personal or confidential information.

Such unauthorized disclosure of sensitive data may result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Additionally, the unauthorized triggering of AI generation consuming the video owner's credits without consent may raise concerns about consent and resource misuse under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart