Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
ChurchCRM API key exposed in older versions, allows unauthorized access
CVE-2026-40582
Summary
Older versions of ChurchCRM are vulnerable to unauthorized API access. An attacker who knows a user's password can access sensitive information and perform actions even if the account is locked or protected with two-factor authentication. Update to the latest version, 7.2.0, to fix the issue.
Original title
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, b...
Original description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.
nvd CVSS4.0
9.1
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
CWE-305
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026