CVE-2026-49953
Deferred Deferred - Pending Action
CAPTCHA Bypass in Discuz! X5.0

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-49953
EUVD
EUVD-2026-36793
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discuz! x5.0 From 20260320 (inc) to 20260610 (inc)
discuz! x3.4 *
discuz! x3.5 *
comsenz discuz From 20260320 (inc) to 20260501 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this CAPTCHA bypass vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Discuz! X5.0 versions released between 20260320 and 20260501 and involves a CAPTCHA bypass. The CAPTCHA images generated by the system have limited complexity and use predictable character sets, which allows attackers to collect samples and train a custom optical character recognition (OCR) model. Using this model, attackers can reliably predict the CAPTCHA challenge text, effectively bypassing the CAPTCHA protections.

This bypass enables unauthenticated remote attackers to defeat challenge controls designed to prevent automated abuse on functions such as login, registration, and other protected actions.

Impact Analysis

The vulnerability allows attackers to bypass CAPTCHA protections, which can lead to automated abuse of the affected system. This includes automated registrations, logins, and credential stuffing attacks without needing authentication.

Such automated abuse can result in unauthorized access attempts, spam registrations, account takeover attempts, and potentially further exploitation if combined with other vulnerabilities.

Detection Guidance

This vulnerability involves a CAPTCHA bypass in Discuz! X5.0 due to predictable and simple CAPTCHA images that can be defeated using Optical Character Recognition (OCR) techniques.

To detect this vulnerability on your system, you can attempt to collect CAPTCHA samples from the affected Discuz! X5.0 versions and analyze their complexity and predictability.

Since the bypass relies on training a custom OCR model, you can test if automated scripts or OCR tools can successfully solve the CAPTCHA challenges.

There are no specific commands provided in the resources, but general approaches include:

  • Use automated tools or scripts to repeatedly request CAPTCHA images from login or registration pages.
  • Apply OCR software (e.g., Tesseract) on collected CAPTCHA images to check if the text can be reliably extracted.
  • Monitor for unusual automated activity on login or registration endpoints that might indicate CAPTCHA bypass attempts.
Mitigation Strategies

Currently, there is no official patch available for this CAPTCHA bypass vulnerability in Discuz! X5.0.

Immediate mitigation steps include:

  • Implement a more complex CAPTCHA system with higher complexity and less predictable character sets to prevent OCR-based bypass.
  • Add additional layers of protection such as rate limiting, IP blocking, or behavioral analysis to detect and block automated abuse.
  • Monitor login and registration endpoints for suspicious activity and consider temporarily disabling automated registrations if possible.
  • Stay updated with vendor announcements for any forthcoming patches or official fixes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart