CVE-2026-40485 - Vulnerability Details

- ChurchCRM: Username Enumeration via Differential Response in Public Login API

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.

Published: 2026-04-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The public login API endpoint returns distinct status codes: a 404 when a username does not exist and a 401 when the username exists but the password is wrong. This differential response allows an unauthenticated attacker to systematically discover valid usernames by observing the returned HTTP code, effectively leaking sensitive account information. Although this vulnerability does not grant direct access or administrative privileges, it expands the attack surface and can facilitate targeted credential‑guessing or social‑engineering attacks once valid usernames are known. The weakness reflects an Information Exposure flaw (CWE‑204) and improper handling of authentication responses (CWE‑307).

Affected Systems

ChurchCRM:CRM, all releases earlier than version 7.2.0. The public API endpoint /api/public/user/login is affected; later releases have been patched.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium severity range. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at the time of this report. However, the public nature of the endpoint, lack of rate limiting, and absence of account lockout mechanisms mean that an attacker can enumerate usernames efficiently by sending numerous requests from any remote host. The attack vector is remote over the internet, requiring only network connectivity to the CRM server and no prior credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ChurchCRM

CRM

affected

Version	Status	Constraints
`< 7.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Churchcrm

81%

Version	Status	Scheme	Platform
`[0,7.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ChurchCRM to version 7.2.0 or later, where the differential response handling has been removed.
If an upgrade cannot be performed immediately, enforce throttling or IP blocking on the /api/public/user/login endpoint to slow enumeration attempts.
Restrict access to the public login API from untrusted networks with firewall rules or reverse proxy restrictions.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850
https://github.com/ChurchCRM/CRM/pull/8607
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-x2qh-xmhq-4jpx

History

Mon, 20 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Churchcrm Churchcrm churchcrm
Vendors & Products		Churchcrm Churchcrm churchcrm

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.
Title		ChurchCRM: Username Enumeration via Differential Response in Public Login API
Weaknesses		CWE-204 CWE-307
References		https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850 https://github.com/ChurchCRM/CRM/pull/8607 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-x2qh-xmhq-4jpx
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Churchcrm Churchcrm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T23:29:35.884Z

Updated: 2026-04-20T13:36:05.319Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40485

Vulnrichment

Updated: 2026-04-20T13:32:28.791Z

NVD

Status : Deferred

Published: 2026-04-18T00:16:39.540

Modified: 2026-04-20T18:59:46.333

Link: CVE-2026-40485

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T14:59:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object