Security advisory 2026-04-09

Copy to clipboard

CAPTCHA bypass vulnerability in reCAPTCHA v2 validation

CVSS: 6.9
Affected versions: 22.0.0 - 31.3.3
Category: Forms

Summary

A potential vulnerability was identified in the server-side validation logic of the reCAPTCHA form component used in the Form Builder.

Under specific conditions the validation method could fail and incorrectly accept submissions. Successful exploitation could allow an unauthenticated attacker to bypass reCAPTCHA v2 protection and submit requests that should otherwise have been blocked. This could enable spam submissions through forms or increased load on form-based workflows.

This vulnerability was addressed by updating the validation logic to rely on the success flag returned by the reCAPTCHA provider.

How to fix

Update to the latest Xperience by Kentico version. See Update Xperience by Kentico projects for detailed instructions.