Skip to main content

ChurchCRM CVE-2026-40485

MEDIUM
Observable Response Discrepancy (CWE-204)
2026-04-18 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.

AnalysisAI

ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint by returning distinguishable HTTP status codes (404 for non-existent users, 401 for valid users with wrong passwords). An unauthenticated attacker can enumerate valid usernames without rate limiting or account lockout restrictions, enabling targeted credential attacks and social engineering. This information disclosure vulnerability affects all ChurchCRM deployments using the vulnerable API endpoint and has been patched in version 7.2.0.

Technical ContextAI

ChurchCRM's public API login endpoint at /api/public/user/login implements HTTP status code differentiation based on authentication state, a design anti-pattern covered by CWE-204 (Observable Discrepancy). The endpoint uses 404 (Not Found) when a username does not exist in the system and 401 (Unauthorized) when a username exists but the password is incorrect. This behavior creates an information channel that leaks the existence of valid user accounts. The vulnerability exploits fundamental HTTP semantics where response codes should not disclose internal system state. The lack of rate limiting and account lockout mechanisms compounds the risk by allowing rapid, unrestricted enumeration without triggering defensive measures typical in authentication systems.

Affected ProductsAI

ChurchCRM versions prior to 7.2.0 are affected. This includes all 7.x versions before 7.2.0, 6.x versions, and earlier releases. The vulnerability is specific to the public API login endpoint and affects both standalone deployments and instances integrated into larger systems. The open-source project is hosted on GitHub at ChurchCRM/CRM. No CPE string was provided in the source data, but the project identifier is ChurchCRM.

RemediationAI

Upgrade ChurchCRM to version 7.2.0 or later, which fixes the username enumeration vulnerability by implementing consistent HTTP response codes for both non-existent and incorrect-credential scenarios. Administrators should apply the patch immediately by pulling the latest code from the main branch or downloading the tagged 7.2.0 release. For organizations unable to upgrade immediately, implement network-level compensating controls: disable or restrict access to the /api/public/user/login endpoint via web application firewall (WAF) rules or reverse proxy, allowing only known-good IP ranges; implement rate limiting at the API gateway level (e.g., 5 requests per minute per IP) to slow enumeration attacks; and consider requiring API authentication tokens even for the public login endpoint. Note that WAF-based mitigation may break legitimate login flows for external users, and rate limiting alone does not prevent enumeration but increases time-to-complete. The definitive fix remains upgrading to 7.2.0 or later.

Share

CVE-2026-40485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy