Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint reachable by any authenticated user (PR:L, AV:N/AC:L/UI:N); high confidentiality from private metadata disclosure, low integrity from unauthorized AI generation, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
AnalysisAI
Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated Cap account (CVSS PR:L) and send requests to the GET /api/video/ai endpoint supplying video IDs belonging to other users; no ownership or workspace membership of the target video is required, which is precisely the missing check. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N) scores 7.1 (High) and is internally consistent with the description: network-reachable, low complexity, low privileges (any authenticated account), no user interaction, high confidentiality impact and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses any low-privilege Cap account, authenticates, and iterates or guesses video IDs while calling GET /api/video/ai. For each ID they harvest the private title, summary, and chapter data of other users' recordings, and by requesting IDs without cached output they force AI generation that silently drains the victims' credits. … |
| Remediation | Patch available per vendor advisory: apply the upstream fix in commit 8d48642b6e7938af238386383ef1c273be4110dd (PR https://github.com/CapSoftware/Cap/pull/1926), which adds ownership/membership validation to GET /api/video/ai; an exact released/tagged version was not provided, so an upstream fix is available but a released patched version is not independently confirmed - self-hosters should rebuild from the patched commit or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Assess exposure by identifying all users and services with API access to Cap's GET /api/video/ai endpoint; review access logs for requests referencing video IDs not owned by the requestor. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42128
GHSA-2fr3-3757-j2f7