Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability
• Software Link:
• Affected Versions:
Version X5.0, releases 20260320 through 20260610.
Older X3.4 and X3.5 releases may be affected too.
• Vulnerability Description:
A security weakness in the CAPTCHA implementation of Discuz! allows automated solving of CAPTCHA challenges through Optical Character Recognition (OCR) techniques.
Due to the limited complexity and predictability of the generated CAPTCHA images, an attacker can train a custom OCR model to reliably recognize the challenge text, effectively bypassing a security control intended to prevent automated abuse.
This issue may facilitate automated registration, login, credential stuffing, and exploitation workflows that rely on CAPTCHA-protected functionality.
• Proof of Concept:
https://karmainsecurity.com/pocs/discuz_captcha_bypass.zip
• Solution:
No official solution is currently available.
• Disclosure Timeline:
[27/04/2026] – Vendor contacted through private messages on gitee.com, no response
[27/04/2026] – Vendor contacted via e-mail at admin@discuz.vip and security@tencent.com, no response
[07/05/2026] – Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX
[09/05/2026] – Vulnerability details shared within issue IJLFUW
[09/05/2026] – Vendor replied “OCR-based CAPTCHA bypass is a well-known issue”
[09/06/2026] – CVE identifier requested
[09/06/2026] – CVE identifier assigned
[13/06/2026] – Public disclosure at hackmeeting 0x1D
[15/06/2026] – Publication of this advisory
• CVE Reference:
CVE-2026-49953 has been assigned to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.