CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Project: CAPTCHADate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:AllVulnerability: Access bypassAffected versions: <1.17.0 || >=2.0.0 < 2.0.10CVE IDs: CVE-2026-3214Description: This module enables you to protect web forms from automated spam by requiring users to pass a challenge.
The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.
This vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.Solution: Install the latest version:

• If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10.
• If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17.

Reported By: 

• Andrew Belcher (andrewbelcher)
• Chris Dudley (dudleyc)
• tamasd
• Tim Wood (timwood)

Fixed By: 

• Joshua Sedler (grevil)
• Jakob P (japerry)
• Adam Nagy (joevagyok)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Michael Hess (mlhess) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team