PatchSiren cyber security CVE debrief
CVE-2026-59704 Cap CVE debrief
CVE-2026-59704 is a high-severity vulnerability in Cap's GET /api/video/ai endpoint. The endpoint fails to validate user ownership or membership before returning private video AI metadata, including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent. This vulnerability affects users of Cap's video AI metadata endpoint, particularly those with sensitive video content. To address this vulnerability, defenders should prioritize validating user ownership or membership for video AI metadata access and implementing proper access controls for the GET /api/video/ai endpoint.
- Vendor
- Cap
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Cap's video AI metadata endpoint, particularly those with sensitive video content, should be aware of this vulnerability and take steps to protect themselves. This includes reviewing current video AI metadata access controls, validating user ownership or membership for video AI metadata access, and implementing proper access controls for the GET /api/video/ai endpoint. Additionally, defenders should monitor for suspicious activity and unauthorized AI generation, and update to the latest version of Cap's software if available.
Technical summary
The vulnerability exists in Cap's GET /api/video/ai endpoint, which fails to validate user ownership or membership before returning private video AI metadata, including titles, summaries, and chapters. This allows authenticated attackers to access sensitive AI-generated content and trigger unauthorized AI generation, potentially leading to unauthorized consumption of video owner credits. The affected endpoint processes video IDs supplied by authenticated users, and the vulnerability impacts users of Cap's video AI metadata endpoint, particularly those with sensitive video content. To mitigate this vulnerability, defenders should focus on validating user ownership or membership for video AI metadata access and implementing proper access controls for the GET /api/video/ai endpoint.
Defensive priority
Highly Critical
Recommended defensive actions
- Validate user ownership or membership for video AI metadata access
- Implement proper access controls for the GET /api/video/ai endpoint
- Monitor for suspicious activity and unauthorized AI generation
- Update to the latest version of Cap's software
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T23:16:55.850Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide details on the vulnerability's impact or exploitation. Defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.850Z and has not been modified since then.