Skip to main content

Captcha CVE-2026-3214

| EUVDEUVD-2026-15473 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-25 drupal GHSA-8p38-3423-m7q8
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15473
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:23 nvd
MEDIUM 6.5

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.

AnalysisAI

The Drupal CAPTCHA module contains an authentication bypass vulnerability (CWE-288) that allows attackers to circumvent CAPTCHA protection through an alternate path or channel, enabling functionality bypass. This vulnerability affects CAPTCHA versions 0.0.0 through 1.16.x and 2.0.0 through 2.0.9, allowing attackers to bypass CAPTCHA challenges intended to prevent automated abuse. While no CVSS score or EPSS data is currently available, the presence of an official Drupal security advisory and specific patched versions indicates active remediation efforts by the vendor.

Technical ContextAI

The Drupal CAPTCHA module (identified via CPE cpe:2.3:a:drupal:captcha) is a widely-used authentication challenge mechanism designed to prevent automated form submissions and brute-force attacks. The vulnerability falls under CWE-288 (Authentication Using an Alternate Path or Channel), which describes improper authentication enforcement when multiple access paths exist. In this case, the CAPTCHA module fails to consistently validate or enforce CAPTCHA requirements across all request channels or alternative form submission paths, potentially allowing attackers to submit forms without completing the intended CAPTCHA challenge. The affected versions indicate two major branches with independent vulnerability windows, suggesting the issue may have been introduced or persisted differently across major version releases.

RemediationAI

Immediately upgrade the Drupal CAPTCHA module to version 1.17.0 or later for the 1.x branch, or to version 2.0.10 or later for the 2.x branch. Refer to the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-015 for patch availability and detailed upgrade instructions specific to your Drupal version. After patching, clear all cached CAPTCHA data and validate that CAPTCHA challenges are functioning correctly on all affected forms. If immediate patching is not possible, consider temporarily disabling the CAPTCHA module and implementing alternative abuse prevention mechanisms such as rate-limiting at the web server level, IP-based access controls, or third-party CAPTCHA services (e.g., reCAPTCHA) until patches can be applied. Audit form submission logs for evidence of bypassed CAPTCHA challenges and investigate any suspicious account creation or form abuse during the vulnerability window.

Share

CVE-2026-3214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy