Skip to main content

Cap CVE-2026-59704

| EUVDEUVD-2026-42128 HIGH
Missing Authorization (CWE-862)
2026-07-07 VulnCheck GHSA-2fr3-3757-j2f7
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network endpoint reachable by any authenticated user (PR:L, AV:N/AC:L/UI:N); high confidentiality from private metadata disclosure, low integrity from unauthorized AI generation, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 23:21 vuln.today

DescriptionCVE.org

Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.

AnalysisAI

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with any Cap account
Delivery
Enumerate or obtain victim video IDs
Exploit
Call GET /api/video/ai with target ID
Execution
Read private AI titles, summaries, chapters
Persist
Trigger unauthorized AI generation
Impact
Drain owner's credits

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated Cap account (CVSS PR:L) and send requests to the GET /api/video/ai endpoint supplying video IDs belonging to other users; no ownership or workspace membership of the target video is required, which is precisely the missing check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N) scores 7.1 (High) and is internally consistent with the description: network-reachable, low complexity, low privileges (any authenticated account), no user interaction, high confidentiality impact and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses any low-privilege Cap account, authenticates, and iterates or guesses video IDs while calling GET /api/video/ai. For each ID they harvest the private title, summary, and chapter data of other users' recordings, and by requesting IDs without cached output they force AI generation that silently drains the victims' credits. …
Remediation Patch available per vendor advisory: apply the upstream fix in commit 8d48642b6e7938af238386383ef1c273be4110dd (PR https://github.com/CapSoftware/Cap/pull/1926), which adds ownership/membership validation to GET /api/video/ai; an exact released/tagged version was not provided, so an upstream fix is available but a released patched version is not independently confirmed - self-hosters should rebuild from the patched commit or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Assess exposure by identifying all users and services with API access to Cap's GET /api/video/ai endpoint; review access logs for requests referencing video IDs not owned by the requestor. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy