CVE-2026-3214

CVE-2026-3214: CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Vendor Drupal
Product CAPTCHA
Weakness CWE-288
Published March 25, 2026
Last update March 26, 2026
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability in the Drupal CAPTCHA module versions before 1.17.0 relates to authentication or identity verification. The exact attack vector and impact cannot be determined from available metadata. Site administrators should update to version 1.17.0 or later immediately.

What an attacker can do

03Attacker Capabilities

Unknown; insufficient CVSS and CWE data to determine attack capability.

Potential impact on your site

04Site Impact

Update the CAPTCHA module to 1.17.0 or later to address a potential authentication-related vulnerability.

Conditions required to exploit

05Prerequisites

Unknown; CVSS vector data not provided.

Key dates

06Disclosure timeline

March 25, 2026 CVE published
March 26, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2020-4050 set-screen-option filter misuse by plugins leading to privilege escalation in WordPress CVE-2023-2546 WP User Switch <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie CVE-2026-42745 WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability CVE-2025-69101 WordPress Workreap Core plugin <= 3.4.1 - Broken Authentication vulnerability CVE-2024-54297 WordPress vBSSO-lite plugin <= 1.4.3 - Account Takeover vulnerability