Description
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
Problem types
Product status
Any version
Credits
George Chen
References
github.com/CapSoftware/Cap/issues/1981
github.com/CapSoftware/Cap/issues/1981 (GitHub Issue)
github.com/CapSoftware/Cap (Product)
github.com/...ommit/8d48642b6e7938af238386383ef1c273be4110dd (Patch Commit)
www.vulncheck.com/...s-control-in-video-ai-metadata-endpoint
github.com/CapSoftware/Cap/pull/1926 (Pull Request)