Platform
drupal
Component
captcha
Fixed in
1.17.0
2.0.10
CVE-2026-3214 describes an Authentication Bypass Using an Alternate Path or Channel vulnerability within the Drupal CAPTCHA module. This bypass allows attackers to circumvent CAPTCHA challenges, potentially leading to unauthorized access and subsequent actions within the Drupal system. The vulnerability affects versions of Drupal CAPTCHA ranging from 0.0.0 up to, but not including, version 2.0.10. A fix is available in version 2.0.10.
The primary impact of CVE-2026-3214 is the ability for an attacker to bypass CAPTCHA protection mechanisms. CAPTCHAs are designed to prevent automated bots from performing actions like account creation, comment spam, or form submissions. By circumventing this protection, an attacker can automate malicious activities, potentially gaining control over user accounts, injecting malicious content, or disrupting the functionality of the Drupal site. Successful exploitation could lead to data breaches, defacement of the website, or even complete compromise of the Drupal installation. The severity of the impact is directly related to the sensitivity of the data and functionality protected by the CAPTCHA.
CVE-2026-3214 was publicly disclosed on 2026-03-25. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the nature of the bypass, it's likely that attackers will quickly develop exploits once they understand the vulnerability's mechanics.
Exploit Status
EPSS
0.04% (13% percentile)
The recommended mitigation for CVE-2026-3214 is to immediately upgrade the Drupal CAPTCHA module to version 2.0.10 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider temporarily disabling the CAPTCHA module. While this removes the protection, it prevents further exploitation until a proper upgrade can be performed. Review Drupal's security best practices for additional hardening measures. After upgrading, verify the CAPTCHA functionality is working as expected and that no unexpected behavior is observed.
Update the CAPTCHA module to version 1.17.0 or higher, or to version 2.0.10 or higher, depending on the version branch you are using. This will resolve the authentication bypass vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3214 is a vulnerability in the Drupal CAPTCHA module allowing attackers to bypass CAPTCHA challenges, potentially gaining unauthorized access. It affects versions 0.0.0–2.0.10.
If you are using Drupal CAPTCHA version 0.0.0 through 2.0.10, you are potentially affected. Upgrade to 2.0.10 or later to mitigate the risk.
Upgrade the Drupal CAPTCHA module to version 2.0.10 or later. If immediate upgrade is not possible, temporarily disable the module.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Drupal security advisory page for details and updates regarding CVE-2026-3214: [https://www.drupal.org/security/advisories/CVE-2026-3214](https://www.drupal.org/security/advisories/CVE-2026-3214)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.