CVE-2026-40582

Low

Low Medium High Critical

CVSS Score

Published: Apr 18, 2026

Last Modified: Apr 18, 2026

Vulnerability Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-288

Authentication Bypass Using an Alternate Path or Channel

Description: The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Typical Severity: Medium
Abstraction Level: Base

View CWE Details on MITRE

Key Information

Published Date: April 18, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages