it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
- Date: Wed, 25 Feb 2026 18:47:58 +0000 (UTC)
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/4OOZDU5YMJZBYVO4VSN2PPRVKQRVHVP3/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=K7aGBDX6; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=default header.b="jRSv/fb5"; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 79878429C3
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BAD8D61027
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-015
Project: CAPTCHA [1]
Date: 2026-February-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.17.0 || >=2.0.0 < 2.0.10
CVE IDs: CVE-2026-3214
Description:
This module enables you to protect web forms from automated spam by requiring
users to pass a challenge.
The module doesn't sufficiently invalidate used security tokens under certain
scenarios, which can lead to the CAPTCHA being bypassed on subsequent
submissions.
This vulnerability is mitigated by the fact that an attacker must first
successfully solve at least one CAPTCHA manually to harvest the valid tokens.
Solution:
Install the latest version:
* If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10 [3].
* If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17 [4].
Reported By:
* Andrew Belcher (andrewbelcher) [5]
* Chris Dudley (dudleyc) [6]
* tamasd [7]
* Tim Wood (timwood) [8]
Fixed By:
* Joshua Sedler (grevil) [9]
* Jakob P (japerry) [10]
* Adam Nagy (joevagyok) [11]
Coordinated By:
* cilefen (cilefen) [12] of the Drupal Security Team
* Damien McKenna (damienmckenna) [13] of the Drupal Security Team
* Greg Knaddison (greggles) [14] of the Drupal Security Team
* Michael Hess (mlhess) [15] of the Drupal Security Team
* Juraj Nemec (poker10) [16] of the Drupal Security Team
* Jess (xjm) [17] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [18]
[1] https://www.drupal.org/project/captcha
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/captcha/releases/2.0.10
[4] https://www.drupal.org/project/captcha/releases/8.x-1.17
[5] https://www.drupal.org/u/andrewbelcher
[6] https://www.drupal.org/u/dudleyc
[7] https://www.drupal.org/u/tamasd
[8] https://www.drupal.org/u/timwood
[9] https://www.drupal.org/u/grevil
[10] https://www.drupal.org/u/japerry
[11] https://www.drupal.org/u/joevagyok
[12] https://www.drupal.org/u/cilefen
[13] https://www.drupal.org/u/damienmckenna
[14] https://www.drupal.org/u/greggles
[15] https://www.drupal.org/u/mlhess
[16] https://www.drupal.org/u/poker10
[17] https://www.drupal.org/u/xjm
[18] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3575767
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015, security-news, 25.02.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.