moodle: ReCAPTCHA can be bypassed on the login page
Description
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.3.0, < 4.3.4 | 4.3.4 |
Affected products
3- osv-coords2 versions
>= 4.3.0, < 4.3.4+ 1 more
- (no CPE)range: >= 4.3.0, < 4.3.4
- (no CPE)range: >= 4.3.0, < 4.3.4
Patches
Vulnerability mechanics
Root cause
"Missing check for whether ReCAPTCHA is enabled before reading the CAPTCHA response parameter allows bypass of the CAPTCHA verification."
Attack vector
An attacker can bypass the ReCAPTCHA check on the login page by simply omitting the `g-recaptcha-response` parameter from the login request. Because the code unconditionally read the parameter (or defaulted to `false`), the authentication flow would proceed without verifying the CAPTCHA even when the site administrator had ReCAPTCHA enabled [CWE-20]. The attack requires no special privileges and can be performed over the network by sending a crafted HTTP POST to the login endpoint.
Affected code
The vulnerability is in `login/index.php` where the ReCAPTCHA response is fetched without first checking whether ReCAPTCHA is enabled. The patch modifies the line that assigns `$loginrecaptcha` to conditionally retrieve the response only when `login_captcha_enabled()` returns true.
What the fix does
The patch wraps the ReCAPTCHA response retrieval in a call to `login_captcha_enabled()`. If the function returns false (i.e., ReCAPTCHA is not configured), `$loginrecaptcha` is set to `false`; otherwise the actual response value is used. This ensures that when ReCAPTCHA is enabled, an empty or missing response is passed as an empty string rather than `false`, which forces the authentication logic to reject the login attempt if the CAPTCHA was not solved.
Preconditions
- configThe site administrator must have ReCAPTCHA enabled on the login page.
- networkThe attacker must be able to send HTTP requests to the login endpoint.
- inputThe attacker omits or leaves empty the g-recaptcha-response parameter in the login POST request.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-gwf6-q6c2-94p3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34009ghsaADVISORY
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.