VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-49953

CVE-2026-49953

Description

Discuz! X5.0 CAPTCHA bypass via limited complexity and predictable character sets allows unauthenticated attackers to automate abuse of login, registration, and other functions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Discuz! X5.0 CAPTCHA bypass via limited complexity and predictable character sets allows unauthenticated attackers to automate abuse of login, registration, and other functions.

Vulnerability

Discuz! X5.0 releases 20260320 through 20260610 contain a CAPTCHA bypass vulnerability due to limited complexity and predictable character sets in generated CAPTCHA images [2][3]. An attacker can collect CAPTCHA samples and train a custom OCR model to reliably recognize challenge text, bypassing the security control [1][2]. The affected versions include X5.0 releases from 20260320 to 20260610, and older X3.4 and X3.5 releases may also be affected [2].

Exploitation

No authentication is required; an unauthenticated remote attacker can exploit this vulnerability [3]. The attacker first collects CAPTCHA samples from the target Discuz! instance, then trains a custom OCR model (e.g., CNN+LSTM+CTC architecture) to solve the CAPTCHA [1][2]. Once the model achieves reliable recognition, the attacker can automate requests that require CAPTCHA verification, such as login, registration, and other functionality [3]. Reference [1] describes using this CAPTCHA bypass as part of a larger exploit chain involving a race condition and LFI.

Impact

Successful exploitation allows an attacker to bypass CAPTCHA protections, enabling automated abuse of registration, login, credential stuffing, and other CAPTCHA-protected workflows [2][3]. This vulnerability alone does not directly lead to code execution or privilege escalation, but it can be chained with other vulnerabilities to achieve pre-authentication remote code execution, as demonstrated in reference [1]. The attacker can perform actions that are normally rate-limited or blocked by CAPTCHA, potentially leading to account compromise or other abuse.

Mitigation

No official solution is currently available; the vendor was contacted but did not release a fix, noting that "OCR-based CAPTCHA bypass is a well-known issue" [2]. Affected users should monitor for updates from Discuz!. Workarounds may include implementing additional rate limiting, using more complex CAPTCHA systems, or employing behavioral analysis to detect automated activity. The vulnerability affects X5.0 releases 20260320 through 20260610 [2][3].

References
  1. Chaining Security Bugs in Discuz! X5.0: from Race Condition to Pre-Auth RCE
  2. Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability
  3. Discuz! X5.0 CAPTCHA Bypass via Predictable Character Set

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Discuz/Discuz\!llm-fuzzy
    Range: X5.0 releases 20260320 through 20260610

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unvalidated deserialization of plugin XML data allows an attacker to control the `directory` and `modules` fields, leading to a path traversal that enables a Local File Inclusion when the plugin is enabled."

Attack vector

An unauthenticated attacker first bypasses the CAPTCHA by training a custom OCR model (CNN+LSTM+CTC) on collected samples to reliably predict challenge text [ref_id=1]. With automated CAPTCHA solving, the attacker exploits a race condition to obtain administrator privileges without valid credentials [ref_id=1]. As an administrator, the attacker imports a crafted plugin XML file that sets the `directory` to a path traversal string (e.g., `../../data/attachment/common/cf/`) and the `enablefile` to a previously uploaded image containing PHP code. When the plugin is enabled, the application includes that attacker-controlled file, achieving remote code execution [ref_id=1].

Affected code

The vulnerability is in the plugin management functionality of Discuz! X5.0. The LFI occurs in `/source/app/admin/child/plugins/enable_disable.php` at line 36, where `include $filename` is called with a path partially controlled by the attacker via the `$pluginarray` variable. The root cause is in `/source/app/admin/child/plugins/import.php`, which deserializes an uploaded XML file into `$pluginarray` without sufficient validation, allowing an administrator to set arbitrary values for `directory` and `modules` fields that later flow into the `include()` call.

What the fix does

The advisory does not provide a specific patch diff. The recommended remediation is to add strict validation on the `directory` and `modules` fields during plugin import to prevent path traversal sequences, and to sanitize the `$filename` variable before passing it to `include()` in `enable_disable.php`. Additionally, the CAPTCHA generation logic should be hardened by increasing character set complexity and introducing distortion to defeat automated OCR.

Preconditions

  • networkThe attacker must be able to reach the Discuz! X5.0 web application over the network.
  • inputThe attacker must collect enough CAPTCHA samples to train a custom OCR model.
  • authThe attacker must exploit a race condition to gain administrator privileges (no valid credentials required).

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.