CVE-2026-3214 PUBLISHED

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Assigner: drupal
Reserved: 25.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.

Product Status

Vendor	Drupal
Product	CAPTCHA
Versions	Default: unaffected affected from 0.0.0 to 1.17.0 (excl.) affected from 2.0.0 to 2.0.10 (excl.)

Credits

Andrew Wang (andrew.wang) finder
Andrew Belcher (andrewbelcher) finder
Chris Dudley (dudleyc) finder
M Parker (mparker17) finder
tamasd finder
Tim Wood (timwood) finder
Denis K**** (dench0) remediation developer
Joshua Sedler (grevil) remediation developer
Jakob P (japerry) remediation developer
Adam Nagy (joevagyok) remediation developer
cilefen (cilefen) coordinator
Damien McKenna (damienmckenna) coordinator
Greg Knaddison (greggles) coordinator
Lee Rowlands (larowlan) coordinator
Michael Hess (mlhess) coordinator
Juraj Nemec (poker10) coordinator
Jess (xjm) coordinator

References

https://www.drupal.org/sa-contrib-2026-015

Problem Types

CWE-288 Authentication Bypass Using an Alternate Path or Channel CWE

Impacts

CAPEC-554 Functionality Bypass