Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via CAPTCHA
Action: Patch
AI Analysis

Impact

This vulnerability is an authentication bypass that allows attackers to circumvent the CAPTCHA verification mechanism in Drupal. By using an alternate path or channel, an adversary can submit form data without completing the CAPTCHA, thereby enabling automated spam or brute‑force attacks. The weakness is an access‑control failure, classified as CWE‑288, which can compromise the integrity of the submission process and allow unauthorized actions that should be protected by CAPTCHA.

Affected Systems

Vulnerable releases of the Drupal CAPTCHA module include all versions from the initial release 0.0.0 up through 1.16.9, as well as 2.0.0 through 2.0.9. System administrators should verify whether these modules are installed on their Drupal sites.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate risk, and the EPSS score of less than 1 % reflects a low probability of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. Attackers need only send crafted HTTP requests to the CAPTCHA endpoint; no special permission or privileged access is required. Because the flaw involves an alternate request channel, it can be triggered from a normal web browser or automated tool, making it potentially exploitable even against sites with minimal hardening.

Generated by OpenCVE AI on April 2, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drupal CAPTCHA module to version 1.17.0 or later, or to 2.0.10 or later, as directed by the official Drupal security advisory.
  • If an upgrade cannot be performed immediately, temporarily disable the CAPTCHA module on all forms until the update is applied.
  • Verify that the module is no longer vulnerable by attempting a bypass test or using an automated security scanner.
  • Monitor form and login logs for repeated submissions or abnormal activity that may indicate the use of an unprotected bypass.

Generated by OpenCVE AI on April 2, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-015 cve-icon cve-icon
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Arnabdotorg
Arnabdotorg captcha
CPEs cpe:2.3:a:arnabdotorg:captcha:*:*:*:*:*:drupal:*:*
Vendors & Products Arnabdotorg
Arnabdotorg captcha

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal captcha
Vendors & Products Drupal
Drupal captcha

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
Title CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
Weaknesses CWE-288
References

Subscriptions

Arnabdotorg Captcha
Drupal Captcha
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-26T13:44:25.007Z

Reserved: 2026-02-25T16:59:29.386Z

Link: CVE-2026-3214

cve-icon Vulnrichment

Updated: 2026-03-26T13:43:58.714Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:22.490

Modified: 2026-04-02T20:36:11.023

Link: CVE-2026-3214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:03Z

Weaknesses