Platform
drupal
Component
captcha
Opgelost in
1.17.0
2.0.10
CVE-2026-3214 describes an Authentication Bypass Using an Alternate Path or Channel vulnerability within the Drupal CAPTCHA module. This bypass allows attackers to circumvent CAPTCHA challenges, potentially leading to unauthorized access and subsequent actions within the Drupal system. The vulnerability affects versions of Drupal CAPTCHA ranging from 0.0.0 up to, but not including, version 2.0.10. A fix is available in version 2.0.10.
The primary impact of CVE-2026-3214 is the ability for an attacker to bypass CAPTCHA protection mechanisms. CAPTCHAs are designed to prevent automated bots from performing actions like account creation, comment spam, or form submissions. By circumventing this protection, an attacker can automate malicious activities, potentially gaining control over user accounts, injecting malicious content, or disrupting the functionality of the Drupal site. Successful exploitation could lead to data breaches, defacement of the website, or even complete compromise of the Drupal installation. The severity of the impact is directly related to the sensitivity of the data and functionality protected by the CAPTCHA.
CVE-2026-3214 was publicly disclosed on 2026-03-25. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the nature of the bypass, it's likely that attackers will quickly develop exploits once they understand the vulnerability's mechanics.
Drupal websites utilizing the CAPTCHA module in versions 0.0.0 through 2.0.10 are at risk. This includes sites relying on CAPTCHA for user registration, comment moderation, or other forms of access control. Shared hosting environments running Drupal with vulnerable CAPTCHA installations are particularly susceptible.
• drupal: Review Drupal logs for unusual authentication patterns or attempts to bypass CAPTCHA challenges.
• drupal: Check the Drupal CAPTCHA module version using drush pm:core-status or the Drupal admin interface.
• generic web: Monitor for automated login attempts or suspicious form submissions that bypass expected CAPTCHA challenges.
disclosure
Exploit Status
EPSS
0.04% (13% percentiel)
The recommended mitigation for CVE-2026-3214 is to immediately upgrade the Drupal CAPTCHA module to version 2.0.10 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider temporarily disabling the CAPTCHA module. While this removes the protection, it prevents further exploitation until a proper upgrade can be performed. Review Drupal's security best practices for additional hardening measures. After upgrading, verify the CAPTCHA functionality is working as expected and that no unexpected behavior is observed.
Actualice el módulo CAPTCHA a la versión 1.17.0 o superior, o a la versión 2.0.10 o superior, dependiendo de la rama de versión que esté utilizando. Esto solucionará la vulnerabilidad de omisión de autenticación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3214 is a vulnerability in the Drupal CAPTCHA module allowing attackers to bypass CAPTCHA challenges, potentially gaining unauthorized access. It affects versions 0.0.0–2.0.10.
If you are using Drupal CAPTCHA version 0.0.0 through 2.0.10, you are potentially affected. Upgrade to 2.0.10 or later to mitigate the risk.
Upgrade the Drupal CAPTCHA module to version 2.0.10 or later. If immediate upgrade is not possible, temporarily disable the module.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Drupal security advisory page for details and updates regarding CVE-2026-3214: [https://www.drupal.org/security/advisories/CVE-2026-3214](https://www.drupal.org/security/advisories/CVE-2026-3214)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je composer.lock-bestand en we vertellen je direct of je getroffen bent.