CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015 - Security-news

25 Feb 2026


      View online: https://www.drupal.org/sa-contrib-2026-015
Project: CAPTCHA [1]
Date: 2026-February-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.17.0 || >=2.0.0 < 2.0.10
CVE IDs: CVE-2026-3214
Description: 
This module enables you to protect web forms from automated spam by requiring
users to pass a challenge.
The module doesn't sufficiently invalidate used security tokens under certain
scenarios, which can lead to the CAPTCHA being bypassed on subsequent
submissions.
This vulnerability is mitigated by the fact that an attacker must first
successfully solve at least one CAPTCHA manually to harvest the valid tokens.
Solution: 
Install the latest version:
* If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10 [3].
  * If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17 [4].
Reported By: 
  * Andrew Belcher (andrewbelcher) [5]
  * Chris Dudley (dudleyc) [6]
  * tamasd [7]
  * Tim Wood (timwood) [8]
Fixed By: 
  * Joshua Sedler (grevil) [9]
  * Jakob P (japerry) [10]
  * Adam Nagy (joevagyok) [11]
Coordinated By: 
  * cilefen  (cilefen) [12] of the Drupal Security Team
  * Damien McKenna (damienmckenna) [13] of the Drupal Security Team
  * Greg Knaddison (greggles) [14] of the Drupal Security Team
  * Michael Hess (mlhess) [15] of the Drupal Security Team
  * Juraj Nemec (poker10) [16] of the Drupal Security Team
  * Jess  (xjm) [17] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [18]
[1] https://www.drupal.org/project/captcha
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/captcha/releases/2.0.10
[4] https://www.drupal.org/project/captcha/releases/8.x-1.17
[5] https://www.drupal.org/u/andrewbelcher
[6] https://www.drupal.org/u/dudleyc
[7] https://www.drupal.org/u/tamasd
[8] https://www.drupal.org/u/timwood
[9] https://www.drupal.org/u/grevil
[10] https://www.drupal.org/u/japerry
[11] https://www.drupal.org/u/joevagyok
[12] https://www.drupal.org/u/cilefen
[13] https://www.drupal.org/u/damienmckenna
[14] https://www.drupal.org/u/greggles
[15] https://www.drupal.org/u/mlhess
[16] https://www.drupal.org/u/poker10
[17] https://www.drupal.org/u/xjm
[18]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....