CVE-2026-40485

MEDIUM
2026-04-18 [email protected]
Information Disclosure
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today

DescriptionNVD

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.

AnalysisAI

ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint by returning distinguishable HTTP status codes (404 for non-existent users, 401 for valid users with wrong passwords). An unauthenticated attacker can enumerate valid usernames without rate limiting or account lockout restrictions, enabling targeted credential attacks and social engineering. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40485 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy