{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3214", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:29.386Z", "datePublished": "2026-03-25T15:23:43.968Z", "dateUpdated": "2026-03-26T13:44:25.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:23:43.968Z"}, "title": "CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015", "datePublic": "2026-02-25T18:47:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Drupal", "product": "CAPTCHA", "collectionURL": "https://www.drupal.org/project/captcha", "repo": "https://git.drupalcode.org/project/captcha", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.17.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.<p>This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-015"}], "credits": [{"lang": "en", "value": "Andrew Wang (andrew.wang)", "type": "finder"}, {"lang": "en", "value": "Andrew Belcher (andrewbelcher)", "type": "finder"}, {"lang": "en", "value": "Chris Dudley (dudleyc)", "type": "finder"}, {"lang": "en", "value": "M Parker (mparker17)", "type": "finder"}, {"lang": "en", "value": "tamasd", "type": "finder"}, {"lang": "en", "value": "Tim Wood (timwood)", "type": "finder"}, {"lang": "en", "value": "Denis K**** (dench0)", "type": "remediation developer"}, {"lang": "en", "value": "Joshua Sedler (grevil)", "type": "remediation developer"}, {"lang": "en", "value": "Jakob P (japerry)", "type": "remediation developer"}, {"lang": "en", "value": "Adam Nagy (joevagyok)", "type": "remediation developer"}, {"lang": "en", "value": "cilefen (cilefen)", "type": "coordinator"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Lee Rowlands (larowlan)", "type": "coordinator"}, {"lang": "en", "value": "Michael Hess (mlhess)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:44:20.728731Z", "id": "CVE-2026-3214", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:44:25.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrew Wang (andrew.wang)"}, {"lang": "en", "type": "finder", "value": "Andrew Belcher (andrewbelcher)"}, {"lang": "en", "type": "finder", "value": "Chris Dudley (dudleyc)"}, {"lang": "en", "type": "finder", "value": "M Parker (mparker17)"}, {"lang": "en", "type": "finder", "value": "tamasd"}, {"lang": "en", "type": "finder", "value": "Tim Wood (timwood)"}, {"lang": "en", "type": "remediation developer", "value": "Denis K**** (dench0)"}, {"lang": "en", "type": "remediation developer", "value": "Joshua Sedler (grevil)"}, {"lang": "en", "type": "remediation developer", "value": "Jakob P (japerry)"}, {"lang": "en", "type": "remediation developer", "value": "Adam Nagy (joevagyok)"}, {"lang": "en", "type": "coordinator", "value": "cilefen (cilefen)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "coordinator", "value": "Michael Hess (mlhess)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/captcha", "vendor": "Drupal", "product": "CAPTCHA", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.17.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.10", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/captcha", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:47:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-015"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.<p>This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:23:43.968Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:44:20.728731Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T13:43:58.714Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-3214", "state": "PUBLISHED", "dateUpdated": "2026-03-25T15:23:43.968Z", "dateReserved": "2026-02-25T16:59:29.386Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:23:43.968Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10."}], "id": "CVE-2026-3214", "lastModified": "2026-03-26T15:16:40.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:22.490", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-015"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.17.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "captcha", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T16:52:28.619642+00:00", "value": {"mitigation_remediation": ["Update the Drupal CAPTCHA module to 1.17.0 or later, or to 2.0.10 or later following the vendor\u2019s upgrade guidance.", "If an update cannot be applied immediately, remove or disable the CAPTCHA module from authentication forms and replace it with an alternative access control mechanism such as two\u2011factor authentication.", "Verify that the module is not present on any deployed environment by checking the installed module list and reviewing configuration files."], "summary": {"action": "Patch immediately", "impact": "Authentication bypass via alternate path or channel"}, "threat_synthesis": {"affected_systems": "Drupal CAPTCHA versions prior to 1.17.0 in the 0.0.0\u20111.16.x series, and prior to 2.0.10 in the 2.0.x series are affected. Sites that have these versions installed are vulnerable whether the CAPTCHA functionality is used on login, registration or any custom form requiring verification.", "description_and_impact": "The Drupal CAPTCHA module contains a flaw that lets an attacker bypass the normal authentication flow by accessing the service through an alternate path or channel, thereby allowing them to perform actions that should require valid authentication. This weakness is classified as CWE\u2011288, which concerns unauthorized access to privileged functions. The effect is that a user who can exploit the vulnerability can circumvent CAPTCHA checks and gain unauthorized access to features that depend on CAPTCHA validation.", "risk_and_exploitability": "The issue is described as moderately critical, indicating a moderate to high potential impact. While no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the nature of the flaw suggests that an attacker could exploit it by following an alternate route to the CAPTCHA endpoint. The absence of a public exploit record does not reduce the risk, as any user with sufficient access to the web application\u2019s form handling could trigger the bypass."}}}}, "created": "2026-03-25T21:31:02.512587+00:00", "updated": "2026-03-26T11:42:55.050790+00:00", "vendors": ["drupal", "drupal$PRODUCT$captcha"]}