CVE-2026-40485

MEDIUM

ChurchCRM: Username Enumeration via Differential Response in Public Login API

Title source: cna

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.

References (3)

Scores

CVSS v3 5.3
EPSS 0.0001
EPSS Percentile 1.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-204 CWE-307
Status published
Products (1)
ChurchCRM/CRM < 7.2.0
Published Apr 18, 2026
Tracked Since Apr 18, 2026