CVE-2026-40582

CRITICAL

ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

Title source: cna

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.

References (3)

[X_Refsource_Confirm] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8cwr-x83m-mh9x

[X_Refsource_Misc] https://github.com/ChurchCRM/CRM/pull/8607

[X_Refsource_Misc] https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850

View Writeup ZIP pw:eip

Scores

CVSS v4 9.1

EPSS 0.0013

EPSS Percentile 32.4%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Details

CWE

CWE-288 CWE-305

Status published

Products (1)

ChurchCRM/CRM < 7.2.0

Published Apr 18, 2026

Tracked Since Apr 18, 2026