Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
ChurchCRM Public API Leaks Valid Usernames
CVE-2026-40485
Summary
ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint, making it easier for attackers to guess valid usernames. This can lead to unauthorized access to sensitive data. Update to version 7.2.0 to fix this issue.
Original title
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether...
Original description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.
nvd CVSS3.1
5.3
Vulnerability type
CWE-204
CWE-307
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026