Skip to main content

ChurchCRM CVE-2026-40582

CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-18 security-advisories@github.com
9.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.

AnalysisAI

Authentication bypass in ChurchCRM versions prior to 7.2.0 allows remote unauthenticated attackers to obtain valid API keys by submitting credentials directly to the /api/public/user/login endpoint, circumventing account lockout policies and two-factor authentication enforcement. Attackers with stolen or compromised passwords can gain full API access with the victim's privileges even when the account is locked or protected by 2FA. CVSS 9.1 critical severity. Fixed in version 7.2.0 via GitHub commit 214694eb and PR #8607. No CISA KEV listing or public exploit code identified at time of analysis, though the vulnerability class (CWE-288: Authentication Bypass) is well-understood and straightforward to exploit once credentials are obtained through phishing, credential stuffing, or database leaks.

Technical ContextAI

ChurchCRM is a PHP-based church management system handling member data, donations, and administrative functions. The vulnerability stems from CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The /api/public/user/login endpoint implements a simplified authentication flow that validates only username/password credentials before issuing an API key, completely bypassing the security controls enforced by the primary authentication system. Standard login flows enforce account lockout after failed attempts and require two-factor authentication token validation before granting access. The vulnerable endpoint skips these checks, treating password validation as sufficient proof of identity. This creates an alternate authentication path that undermines security policies configured elsewhere in the application. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) indicates network-accessible exploitation with low attack complexity but present attack requirements, likely referring to the need for valid credentials.

Affected ProductsAI

ChurchCRM versions prior to 7.2.0 are vulnerable. ChurchCRM is an open-source church management system written in PHP, typically self-hosted by religious organizations. The vulnerability affects all deployment configurations that expose the /api/public/user/login endpoint to network access. Official vendor advisory available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8cwr-x83m-mh9x confirms the affected version range and remediation details.

RemediationAI

Upgrade immediately to ChurchCRM version 7.2.0 or later, which implements proper authentication flow validation on the /api/public/user/login endpoint per GitHub PR #8607 and commit 214694eb83778e1f5e52b3dfa2a99d0e965c1850. Full vendor advisory with upgrade instructions at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8cwr-x83m-mh9x. If immediate upgrade is not feasible, implement compensating controls: (1) Block external network access to /api/public/user/login via web application firewall or reverse proxy rules, restricting API access to trusted internal networks only - this prevents remote exploitation but breaks legitimate external API integrations. (2) Enforce strong unique passwords and deploy anti-phishing training to reduce credential compromise vectors, though this does not fix the underlying bypass. (3) Monitor API key issuance logs for anomalous requests from locked or 2FA-protected accounts. These workarounds reduce attack surface but do not eliminate the vulnerability - upgrading to 7.2.0 is the only complete remediation.

Share

CVE-2026-40582 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy