Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass
Action: Patch immediately
AI Analysis

Impact

This vulnerability in Drupal CAPTCHA allows an attacker to bypass the authentication checks by using an alternate path or channel. The flaw is classified as an Authentication Bypass for Privilege Functions (CWE‑288) and can enable attackers to access functionality that should require proper authentication, potentially providing unauthorized control over site features.

Affected Systems

Drupal CAPTCHA module versions prior to 1.17.0 and prior to 2.0.10 are affected. Users running these versions should verify their installation and update to the latest releases to eliminate the flaw.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. EPSS is below 1%, suggesting a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation likely requires sending crafted web requests to the CAPTCHA endpoint through a non‑standard path, and the attacker may need network access to the affected site. If the site uses Drupal CAPTCHA for critical authentication flows, the impact could be significant.

Generated by OpenCVE AI on March 26, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Drupal CAPTCHA patch (v1.17.0 or later, v2.0.10 or later).
  • If a patch is unavailable, disable the CAPTCHA module or restrict access to trusted users.
  • Verify that all authentication endpoints require proper session tokens after disabling or updating.

Generated by OpenCVE AI on March 26, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-015 cve-icon cve-icon
History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal captcha
Vendors & Products Drupal
Drupal captcha

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
Title CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
Weaknesses CWE-288
References

Subscriptions

Drupal Captcha
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-26T13:44:25.007Z

Reserved: 2026-02-25T16:59:29.386Z

Link: CVE-2026-3214

cve-icon Vulnrichment

Updated: 2026-03-26T13:43:58.714Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:22.490

Modified: 2026-03-26T15:16:40.323

Link: CVE-2026-3214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:47:02Z

Weaknesses