Vulnerability Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850
- https://github.com/ChurchCRM/CRM/pull/8607
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8cwr-x83m-mh9x
FAQ
What is CVE-2026-40582?
CVE-2026-40582 is a documented vulnerability. ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypa...
How severe is CVE-2026-40582?
CVSS scoring is not yet available for CVE-2026-40582. Check NVD for updates.
Is there a patch for CVE-2026-40582?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.