Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
AnalysisAI
The Drupal CAPTCHA module contains an authentication bypass vulnerability (CWE-288) that allows attackers to circumvent CAPTCHA protection through an alternate path or channel, enabling functionality bypass. This vulnerability affects CAPTCHA versions 0.0.0 through 1.16.x and 2.0.0 through 2.0.9, allowing attackers to bypass CAPTCHA challenges intended to prevent automated abuse. While no CVSS score or EPSS data is currently available, the presence of an official Drupal security advisory and specific patched versions indicates active remediation efforts by the vendor.
Technical ContextAI
The Drupal CAPTCHA module (identified via CPE cpe:2.3:a:drupal:captcha) is a widely-used authentication challenge mechanism designed to prevent automated form submissions and brute-force attacks. The vulnerability falls under CWE-288 (Authentication Using an Alternate Path or Channel), which describes improper authentication enforcement when multiple access paths exist. In this case, the CAPTCHA module fails to consistently validate or enforce CAPTCHA requirements across all request channels or alternative form submission paths, potentially allowing attackers to submit forms without completing the intended CAPTCHA challenge. The affected versions indicate two major branches with independent vulnerability windows, suggesting the issue may have been introduced or persisted differently across major version releases.
RemediationAI
Immediately upgrade the Drupal CAPTCHA module to version 1.17.0 or later for the 1.x branch, or to version 2.0.10 or later for the 2.x branch. Refer to the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-015 for patch availability and detailed upgrade instructions specific to your Drupal version. After patching, clear all cached CAPTCHA data and validate that CAPTCHA challenges are functioning correctly on all affected forms. If immediate patching is not possible, consider temporarily disabling the CAPTCHA module and implementing alternative abuse prevention mechanisms such as rate-limiting at the web server level, IP-based access controls, or third-party CAPTCHA services (e.g., reCAPTCHA) until patches can be applied. Audit form submission logs for evidence of bypassed CAPTCHA challenges and investigate any suspicious account creation or form abuse during the vulnerability window.
Cross-site scripting (XSS) vulnerability in captchademo.php in Unijimpe Captcha allows remote attackers to inject arbitr
Cross-site scripting vulnerability in Captcha prior to version 4.3.0, Car Rental prior to version 1.0.5, Contact Form Mu
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mecha
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15473
GHSA-8p38-3423-m7q8