CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.
AnalysisAI
Authentication bypass in ChurchCRM versions prior to 7.2.0 allows remote unauthenticated attackers to obtain valid API keys by submitting credentials directly to the /api/public/user/login endpoint, circumventing account lockout policies and two-factor authentication enforcement. Attackers with stolen or compromised passwords can gain full API access with the victim's privileges even when the account is locked or protected by 2FA. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all ChurchCRM instances in your environment and confirm versions; if any version is prior to 7.2.0, isolate the instance from external access or disable the /api/public/user/login endpoint via firewall/WAF rules. Within 7 days: Upgrade all affected ChurchCRM installations to version 7.2.0 or later per vendor release notes (GitHub commit 214694eb / PR #8607). …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today