PT-2026-56279 · Cap · Cap

George Chen

·

Published

2026-07-07

·

Updated

2026-07-08

·

CVE-2026-59704

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Cap (affected versions not specified)
Description The 'GET /api/video/ai' endpoint fails to validate user ownership or membership. This allows authenticated attackers to provide arbitrary video IDs to access private AI metadata, such as titles, summaries, and chapters. Additionally, this flaw can be used to trigger unauthorized AI generation, which consumes the credits of the video owner without their consent.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59704

Affected Products

Cap