Vulnerability in ChurchCRM Allows API Key Access via Insecure Login Mechanism
CVE-2026-40582

9.1CRITICAL

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40582?

ChurchCRM is an open-source church management software that, prior to version 7.2.0, exhibited a critical vulnerability in its login endpoint. This endpoint only validated user credentials (username and password) before issuing an API key, neglecting essential security protocols such as account lockout and two-factor authentication (2FA). Consequently, an attacker armed with just a user's password could exploit this flaw to gain unrestricted access to the user's API, regardless of the account's security measures. This breach threatens all secured API functionalities that require user privileges. The issue has been rectified in version 7.2.0.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8607
x_refsource_MISC
https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5...
x_refsource_MISC

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.