CVE-2026-3214
Authentication Bypass in Drupal CAPTCHA Enables Functionality Bypass
Publication date: 2026-03-25
Last updated on: 2026-04-02
Assigner: Drupal.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arnabdotorg | captcha | to 8.x-1.17 (exc) |
| arnabdotorg | captcha | From 2.0.0 (inc) to 2.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Authentication Bypass Using an Alternate Path or Channel in the Drupal CAPTCHA module. It allows attackers to bypass CAPTCHA functionality, which is intended to verify that a user is human and prevent automated access. The issue affects versions of the CAPTCHA module before 1.17.0 in the 0.x series and before 2.0.10 in the 2.x series.
How can this vulnerability impact me? :
By bypassing the CAPTCHA functionality, attackers can potentially automate interactions with the Drupal site that are meant to be restricted to human users. This could lead to increased spam, automated account creation, or other malicious automated activities that the CAPTCHA was designed to prevent.