• Advisory ID: DRUPAL-SA-2007-006
  • Project: Captcha (third-party module)
  • Version: 4.7.x, 5.x
  • Date: 2007-Jan-30
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Captcha bypass


Captcha validation can be bypassed by manipulating request variables while posting or by providing certain (incorrect) responses. This defeats the purpose of the captcha and makes automated submission possible.

Versions affected

  • All versions of Captcha 4.7.x prior to Captcha 4.7-1.2.
  • All versions of Captcha 5.x prior to Captcha 5.x-1.1.

Drupal core is not affected. If you do not use the contributed Captcha module, there is nothing you need to do.


Install the latest version:

See also the Captcha project page.

Reported by

The Drupal security team.
William Smith independently discovered the bypass with "certain (incorrect) responses".


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.