Review: CAPTCHA Access Bypass in Drupal (SA-CONTRIB-2026-015)

The Hook SA-CONTRIB-2026-015 is a token lifecycle failure: solved CAPTCHA tokens were not invalidated reliably, which could allow follow-up submissions to bypass CAPTCHA checks.

What Happened The Drupal Security Team published SA-CONTRIB-2026-015 on February 25, 2026 for the CAPTCHA module (drupal/captcha). The advisory is marked moderately critical and classified as an access bypass vulnerability.

The core issue: under certain scenarios, used security tokens could remain reusable instead of being invalidated after a successful CAPTCHA solve.

Affected Scope

• Affected versions: <1.17.0 || >=2.0.0 < 2.0.10
• Fixed versions: 8.x-1.17 and 2.0.10
• CVE: CVE-2026-3214
• Advisory ID: DRUPAL-CONTRIB-2026-015

Why This Matters for Drupal 10/11 and Drupal CMS CAPTCHA is often treated as a baseline anti-abuse control in login, registration, contact, and form-heavy workflows. If token invalidation is weak, that control can degrade silently and teams may overestimate their bot resistance.

Fast Triage Checklist

1. Check installed version:
   • composer show drupal/captcha
2. Patch immediately if running <1.17.0 on 1.x or <2.0.10 on 2.x:
   • composer require drupal/captcha:^1.17 || composer require drupal/captcha:^2.0.10
3. Clear caches after update:
   • drush cr
4. Re-test protected forms for one-time token behavior:
   • Confirm repeated submissions require a fresh challenge.

Bottom Line If you rely on CAPTCHA as a core spam gate and are below the fixed versions, treat this as an active security patch. Upgrade first, then verify token reuse is no longer possible in your real submission flows.

References

• https://www.drupal.org/sa-contrib-2026-015
• https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-015
• https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/captcha/DRUPAL-CONTRIB-2026-015.json