Description
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to bypass two‑factor authentication and account lockout in ChurchCRM versions 7.2.x, enabling them to log in as any user without proper credentials; this can lead to unauthorized data access and potential full system compromise.

Affected Systems

ChurchCRM Community Edition versions 7.2.0 through 7.2.2 are affected; all newer releases such as 7.3.1 and onward contain the fix.

Risk and Exploitability

With a CVSS score of 9.6 the flaw is considered critical; exploitation does not require elevated privileges and can be performed via the public API login endpoint over the network, making it a high‑risk attack vector. The EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog, but the severity indicates that attackers can readily target exposed installations.

Generated by OpenCVE AI on May 12, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.3.1 or later where the issue is fixed
  • Restrict access to the public API login endpoint by configuring network‑level firewall or IP filtering so that only trusted networks can reach it
  • Immediately disable or monitor the public API login functionality and enforce manual account lockout or two‑factor authentication until a permanent fix is applied

Generated by OpenCVE AI on May 12, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.
Title ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2
Weaknesses CWE-287
CWE-304
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T15:36:49.207Z

Reserved: 2026-05-06T20:59:00.593Z

Link: CVE-2026-44547

cve-icon Vulnrichment

Updated: 2026-05-13T15:33:49.600Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T23:16:18.610

Modified: 2026-05-13T16:16:58.563

Link: CVE-2026-44547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses