Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.
Published: 2026-04-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass allowing attackers to acquire API access by bypassing two‑factor authentication and account lockout
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the /api/public/user/login endpoint, which validates only a username and password before issuing an API key. The normal authentication flow that enforces account lockout and two‑factor authentication is bypassed. If an attacker knows a user’s password, they can obtain an API key even when the account is locked or 2FA is required, thereby gaining direct access to all protected API endpoints with the victim’s privileges.

Affected Systems

ChurchCRM CRM installations running any version earlier than 7.2.0 are affected. The issue was fixed in 7.2.0 and later versions are not vulnerable.

Risk and Exploitability

With a CVSS score of 9.1, the vulnerability poses a high severity risk. Exploitation requires only knowledge of a user’s password and does not rely on other privileges. The likely attack vector is simple credential misuse over the exposed API endpoint. The EPSS score is not available, and it is not listed in CISA KEV, but the impact of bypassing authentication controls presents a severe threat to confidentiality and integrity of all API data.

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.2.0 or later to apply the fix that restores proper authentication flow.
  • If an upgrade cannot be performed immediately, restrict or disable external access to the /api/public/user/login endpoint until the update is deployed.
  • Enforce two‑factor authentication and account lockout policies for all user accounts, and audit that the authentication flow cannot be circumvented by any other endpoint.

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.
Title ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout
Weaknesses CWE-288
CWE-305
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:56:36.921Z

Reserved: 2026-04-14T13:24:29.475Z

Link: CVE-2026-40582

cve-icon Vulnrichment

Updated: 2026-04-20T14:45:33.502Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:39.827

Modified: 2026-04-20T18:59:46.333

Link: CVE-2026-40582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:17Z

Weaknesses