External risk intelligence

ChurchCRM login bypass gives attackers full access to user accounts

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40582

An issue in ChurchCRM allows unauthorized access to user accounts by bypassing security features like two-factor authentication. This means someone with just a password could access sensitive information and system functions, so updating to version 7.2.0 is critical.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-40582

The vulnerability affects an API login endpoint within a web-based management application. ChurchCRM is typically deployed as an internet-facing web service to facilitate remote management and access for administrators and staff, making its login interfaces and associated API endpoints standard points of network exposure.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue in ChurchCRM allows attackers to bypass security controls like account lockouts and two-factor authentication by exploiting a flaw in the user login API. This means an attacker with a user's password could gain unauthorized access to sensitive data and system functions.

  • Compromised user credentials can bypass 2FA.
  • Direct access to protected API endpoints is possible.
  • Bypasses account lockout security.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by directly calling the login API endpoint without proper authentication checks. If the attacker knows a valid username and password, they can bypass account lockouts and two-factor authentication to retrieve an API key. This grants them access to all protected API functions as that user.

  • Target API login endpoint.
  • Bypass normal authentication flow.
  • Obtain user API key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could be attractive to attackers looking to bypass security controls on a church management system. The ability to directly obtain an API key bypasses account lockout and two-factor authentication, offering a direct path to user privileges. While this is a critical flaw, the specific nature of the software may limit widespread attacker interest compared to more general-purpose applications.

  • Exploitation requires prior knowledge of a username and password.
  • No public exploit or KEV signals observed.
  • Vulnerability fixed in version 7.2.0.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching ChurchCRM to version 7.2.0 immediately due to the critical bypass of authentication controls, which could allow unauthorized API access. If immediate patching is not feasible, implement strict network segmentation and heightened monitoring around the affected application to detect and block suspicious API access attempts.

  • Apply patch to version 7.2.0.
  • Isolate affected services from network.
  • Monitor for API key abuse.

Frequently asked questions

What is ChurchCRM and its purpose in managing religious organizations?

ChurchCRM is an open-source software designed to assist religious organizations with their administrative tasks. It facilitates the management of member information, tracks donations, and helps coordinate various church activities, aiming to enhance operational efficiency.

What type of weakness does CVE-2026-40582 represent in ChurchCRM?

CVE-2026-40582 represents a bypass of authentication controls (CWE-288) and issues with incorrect authentication (CWE-305). This means the system incorrectly handles user login attempts, enabling attackers to circumvent security measures such as account lockouts and two-factor authentication.

How can an attacker exploit the vulnerability in ChurchCRM's API login?

An attacker can exploit this by directly calling the /api/public/user/login endpoint. If they know a user's password, they can bypass account lockout and two-factor authentication to obtain an API key, thereby gaining access to all protected API endpoints with that user's privileges.

What is the relevance of CVE-2026-40582, considering Halo Surface Signal?

Halo classifies this CVE as externally relevant because it affects a network-accessible API login endpoint within a web-based management application. ChurchCRM, often deployed as an internet-facing service, presents its login interfaces and API endpoints as standard points of network exposure for potential exploitation.

What is the recommended action to address the ChurchCRM vulnerability?

The critical vulnerability requires immediate patching of ChurchCRM to version 7.2.0. If patching is not immediately possible, implementing strict network segmentation around the affected application and closely monitoring for suspicious API access attempts are recommended protective measures.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified