Verification of CAPTCHA is broken on Stash 3.2. The problem is indirectly caused by use of Hazelcast's session replication. Hazelcast wraps the Tomcat HttpSession with its own wrapper, which has a different session ID.

When the Captcha challenge is created, the captcha token is stored against the session ID obtained from HttpSession.getId(). However, when the provided token is verified, it's retrieved using HttpServletRequest.getRequestedSessionId() which differs. Therefore the token is not found and an error occurs.