CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Project:

CAPTCHA

Date:

2026-February-25

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:All

Vulnerability:

Access bypass

Affected versions:

<1.17.0 || >=2.0.0 < 2.0.10

CVE IDs:

CVE-2026-3214

Description:

This module enables you to protect web forms from automated spam by requiring users to pass a challenge.

The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.

This vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.

Solution:

Install the latest version:

If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10.
If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17.

Reported By:

Fixed By:

Coordinated By:

cilefen (cilefen) of the Drupal Security Team
Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Michael Hess (mlhess) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community