PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59704 Cap CVE debrief

CVE-2026-59704 is a high-severity vulnerability in Cap's GET /api/video/ai endpoint. The endpoint fails to validate user ownership or membership before returning private video AI metadata, including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent. This vulnerability affects users of Cap's video AI metadata endpoint, particularly those with sensitive video content. To address this vulnerability, defenders should prioritize validating user ownership or membership for video AI metadata access and implementing proper access controls for the GET /api/video/ai endpoint.

Vendor
Cap
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Cap's video AI metadata endpoint, particularly those with sensitive video content, should be aware of this vulnerability and take steps to protect themselves. This includes reviewing current video AI metadata access controls, validating user ownership or membership for video AI metadata access, and implementing proper access controls for the GET /api/video/ai endpoint. Additionally, defenders should monitor for suspicious activity and unauthorized AI generation, and update to the latest version of Cap's software if available.

Technical summary

The vulnerability exists in Cap's GET /api/video/ai endpoint, which fails to validate user ownership or membership before returning private video AI metadata, including titles, summaries, and chapters. This allows authenticated attackers to access sensitive AI-generated content and trigger unauthorized AI generation, potentially leading to unauthorized consumption of video owner credits. The affected endpoint processes video IDs supplied by authenticated users, and the vulnerability impacts users of Cap's video AI metadata endpoint, particularly those with sensitive video content. To mitigate this vulnerability, defenders should focus on validating user ownership or membership for video AI metadata access and implementing proper access controls for the GET /api/video/ai endpoint.

Defensive priority

Highly Critical

Recommended defensive actions

  • Validate user ownership or membership for video AI metadata access
  • Implement proper access controls for the GET /api/video/ai endpoint
  • Monitor for suspicious activity and unauthorized AI generation
  • Update to the latest version of Cap's software
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T23:16:55.850Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide details on the vulnerability's impact or exploitation. Defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.850Z and has not been modified since then.