The g-recaptcha-response is not validated on the server-side when submitting a Signup form to the endpoint. Any or no value can be provided for this header
Step to reproduce:
Impact. Fake accounts can be created. Also username enumeration can be performed because no application will allow two email to choose same email.