{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3214", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:29.386Z", "datePublished": "2026-03-25T15:23:43.968Z", "dateUpdated": "2026-03-26T13:44:25.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:23:43.968Z"}, "title": "CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015", "datePublic": "2026-02-25T18:47:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Drupal", "product": "CAPTCHA", "collectionURL": "https://www.drupal.org/project/captcha", "repo": "https://git.drupalcode.org/project/captcha", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.17.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.<p>This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-015"}], "credits": [{"lang": "en", "value": "Andrew Wang (andrew.wang)", "type": "finder"}, {"lang": "en", "value": "Andrew Belcher (andrewbelcher)", "type": "finder"}, {"lang": "en", "value": "Chris Dudley (dudleyc)", "type": "finder"}, {"lang": "en", "value": "M Parker (mparker17)", "type": "finder"}, {"lang": "en", "value": "tamasd", "type": "finder"}, {"lang": "en", "value": "Tim Wood (timwood)", "type": "finder"}, {"lang": "en", "value": "Denis K**** (dench0)", "type": "remediation developer"}, {"lang": "en", "value": "Joshua Sedler (grevil)", "type": "remediation developer"}, {"lang": "en", "value": "Jakob P (japerry)", "type": "remediation developer"}, {"lang": "en", "value": "Adam Nagy (joevagyok)", "type": "remediation developer"}, {"lang": "en", "value": "cilefen (cilefen)", "type": "coordinator"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Lee Rowlands (larowlan)", "type": "coordinator"}, {"lang": "en", "value": "Michael Hess (mlhess)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:44:20.728731Z", "id": "CVE-2026-3214", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:44:25.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:44:20.728731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:43:58.714Z"}}], "cna": {"title": "CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrew Wang (andrew.wang)"}, {"lang": "en", "type": "finder", "value": "Andrew Belcher (andrewbelcher)"}, {"lang": "en", "type": "finder", "value": "Chris Dudley (dudleyc)"}, {"lang": "en", "type": "finder", "value": "M Parker (mparker17)"}, {"lang": "en", "type": "finder", "value": "tamasd"}, {"lang": "en", "type": "finder", "value": "Tim Wood (timwood)"}, {"lang": "en", "type": "remediation developer", "value": "Denis K**** (dench0)"}, {"lang": "en", "type": "remediation developer", "value": "Joshua Sedler (grevil)"}, {"lang": "en", "type": "remediation developer", "value": "Jakob P (japerry)"}, {"lang": "en", "type": "remediation developer", "value": "Adam Nagy (joevagyok)"}, {"lang": "en", "type": "coordinator", "value": "cilefen (cilefen)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "coordinator", "value": "Michael Hess (mlhess)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/captcha", "vendor": "Drupal", "product": "CAPTCHA", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.17.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.10", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/captcha", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:47:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-015"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.<p>This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:23:43.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3214", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:44:25.007Z", "dateReserved": "2026-02-25T16:59:29.386Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:23:43.968Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arnabdotorg:captcha:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "1E80D35D-CC93-4EE7-BF90-D228FFA6C642", "versionEndExcluding": "8.x-1.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arnabdotorg:captcha:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "467B3608-A978-494B-A32B-0662D997FEFC", "versionEndExcluding": "2.0.10", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n usando una ruta o canal alternativo en Drupal CAPTCHA permite la omisi\u00f3n de funcionalidad. Este problema afecta a CAPTCHA: desde 0.0.0 antes de 1.17.0, desde 2.0.0 antes de 2.0.10."}], "id": "CVE-2026-3214", "lastModified": "2026-04-02T20:36:11.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:22.490", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-015"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.17.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "captcha", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-02T22:17:44.423050+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal CAPTCHA module to version 1.17.0 or later, or to 2.0.10 or later, as directed by the official Drupal security advisory.", "If an upgrade cannot be performed immediately, temporarily disable the CAPTCHA module on all forms until the update is applied.", "Verify that the module is no longer vulnerable by attempting a bypass test or using an automated security scanner.", "Monitor form and login logs for repeated submissions or abnormal activity that may indicate the use of an unprotected bypass."], "summary": {"action": "Patch", "impact": "Authentication Bypass via CAPTCHA"}, "threat_synthesis": {"affected_systems": "Vulnerable releases of the Drupal CAPTCHA module include all versions from the initial release 0.0.0 up through 1.16.9, as well as 2.0.0 through 2.0.9. System administrators should verify whether these modules are installed on their Drupal sites.", "description_and_impact": "This vulnerability is an authentication bypass that allows attackers to circumvent the CAPTCHA verification mechanism in Drupal. By using an alternate path or channel, an adversary can submit form data without completing the CAPTCHA, thereby enabling automated spam or brute\u2011force attacks. The weakness is an access\u2011control failure, classified as CWE\u2011288, which can compromise the integrity of the submission process and allow unauthorized actions that should be protected by CAPTCHA.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate risk, and the EPSS score of less than 1\u202f% reflects a low probability of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. Attackers need only send crafted HTTP requests to the CAPTCHA endpoint; no special permission or privileged access is required. Because the flaw involves an alternate request channel, it can be triggered from a normal web browser or automated tool, making it potentially exploitable even against sites with minimal hardening."}}}}, "created": "2026-03-25T21:31:02.512587+00:00", "updated": "2026-04-03T09:39:03.712468+00:00", "vendors": ["drupal", "drupal$PRODUCT$captcha"]}