Skip to main content

Cap

1 CVEs product

Monthly

CVE-2026-59704 HIGH PATCH This Week

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. The flaw combines confidentiality loss over private content with an abusable, cost-incurring side effect.

Authentication Bypass Cap
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. The flaw combines confidentiality loss over private content with an abusable, cost-incurring side effect.

Authentication Bypass Cap
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy