ChurchCRM CVE-2026-40485
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.
AnalysisAI
ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint by returning distinguishable HTTP status codes (404 for non-existent users, 401 for valid users with wrong passwords). An unauthenticated attacker can enumerate valid usernames without rate limiting or account lockout restrictions, enabling targeted credential attacks and social engineering. This information disclosure vulnerability affects all ChurchCRM deployments using the vulnerable API endpoint and has been patched in version 7.2.0.
Technical ContextAI
ChurchCRM's public API login endpoint at /api/public/user/login implements HTTP status code differentiation based on authentication state, a design anti-pattern covered by CWE-204 (Observable Discrepancy). The endpoint uses 404 (Not Found) when a username does not exist in the system and 401 (Unauthorized) when a username exists but the password is incorrect. This behavior creates an information channel that leaks the existence of valid user accounts. The vulnerability exploits fundamental HTTP semantics where response codes should not disclose internal system state. The lack of rate limiting and account lockout mechanisms compounds the risk by allowing rapid, unrestricted enumeration without triggering defensive measures typical in authentication systems.
Affected ProductsAI
ChurchCRM versions prior to 7.2.0 are affected. This includes all 7.x versions before 7.2.0, 6.x versions, and earlier releases. The vulnerability is specific to the public API login endpoint and affects both standalone deployments and instances integrated into larger systems. The open-source project is hosted on GitHub at ChurchCRM/CRM. No CPE string was provided in the source data, but the project identifier is ChurchCRM.
RemediationAI
Upgrade ChurchCRM to version 7.2.0 or later, which fixes the username enumeration vulnerability by implementing consistent HTTP response codes for both non-existent and incorrect-credential scenarios. Administrators should apply the patch immediately by pulling the latest code from the main branch or downloading the tagged 7.2.0 release. For organizations unable to upgrade immediately, implement network-level compensating controls: disable or restrict access to the /api/public/user/login endpoint via web application firewall (WAF) rules or reverse proxy, allowing only known-good IP ranges; implement rate limiting at the API gateway level (e.g., 5 requests per minute per IP) to slow enumeration attacks; and consider requiring API authentication tokens even for the public login endpoint. Note that WAF-based mitigation may break legitimate login flows for external users, and rate limiting alone does not prevent enumeration but increases time-to-complete. The definitive fix remains upgrading to 7.2.0 or later.
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today