CVE-2026-40582 Overview
CVE-2026-40582 is a critical authentication bypass vulnerability in ChurchCRM, an open-source church management system. The vulnerability exists in versions prior to 7.2.0 where the /api/public/user/login endpoint validates only the username and password before returning the user's API key. This implementation flaw bypasses the normal authentication flow that enforces account lockout and two-factor authentication (2FA) checks.
An attacker with knowledge of a user's password can exploit this vulnerability to obtain API access even when the account is locked or has 2FA enabled. This grants direct access to all protected API endpoints with the compromised user's privileges, potentially exposing sensitive church member data, financial information, and administrative functions.
Critical Impact
Authentication bypass allowing attackers to circumvent account lockout policies and two-factor authentication, gaining full API access to protected endpoints with stolen credentials.
Affected Products
- ChurchCRM versions prior to 7.2.0
- ChurchCRM installations using the /api/public/user/login endpoint
- Any ChurchCRM deployment with 2FA or account lockout enabled (security controls rendered ineffective)
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40582 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40582
Vulnerability Analysis
This vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The root cause lies in the design of the /api/public/user/login endpoint, which implements a separate authentication flow that fails to enforce critical security controls present in the standard login mechanism.
When users authenticate through the normal web interface, ChurchCRM enforces security policies including account lockout after multiple failed attempts and two-factor authentication verification. However, the API login endpoint provides an alternate authentication path that only validates basic credentials (username and password) without checking the account's lockout status or requiring 2FA verification.
This architectural flaw means that security controls designed to protect user accounts are completely bypassed when authentication occurs through the vulnerable API endpoint. The impact is particularly severe in environments where administrators have implemented 2FA or account lockout policies, as these protections are rendered ineffective.
Root Cause
The vulnerability stems from inconsistent security enforcement across authentication endpoints. The API login handler was implemented without incorporating the security middleware or checks that protect the primary authentication flow. This created an alternate channel through which attackers can authenticate without satisfying security requirements.
The affected code path directly returns the user's API key upon successful credential validation, skipping the intermediate steps that would normally verify account status and enforce multi-factor authentication.
Attack Vector
The attack is network-based and can be executed remotely against any exposed ChurchCRM instance. An attacker who has obtained valid credentials through phishing, credential stuffing, or data breaches can leverage this vulnerability to:
- Access accounts that have been locked due to suspicious activity or failed login attempts
- Bypass two-factor authentication protections entirely
- Obtain API keys that provide persistent access to protected endpoints
- Perform actions with the full privileges of the compromised user account
The vulnerability requires knowledge of valid credentials but circumvents all additional security measures designed to protect accounts even when passwords are compromised.
Detection Methods for CVE-2026-40582
Indicators of Compromise
- Successful API key retrievals for accounts that are currently in locked state
- API authentication events occurring without corresponding 2FA verification logs
- Unusual API access patterns from accounts with 2FA enabled but no recent TOTP validations
- Authentication to /api/public/user/login endpoint followed by API activity without web session establishment
Detection Strategies
- Monitor authentication logs for successful logins to the /api/public/user/login endpoint while the associated account is in lockout status
- Implement alerting on API key issuance events where the account has 2FA enabled but no 2FA verification occurred
- Cross-reference API authentication events with web authentication events to identify discrepancies in security control enforcement
- Audit API access logs for accounts that should be restricted due to lockout policies
Monitoring Recommendations
- Enable detailed logging for all authentication endpoints including /api/public/user/login
- Configure alerts for any authentication bypass indicators such as locked account logins
- Review historical logs for potential exploitation prior to patching
- Implement network monitoring to detect unusual API traffic patterns from external sources
How to Mitigate CVE-2026-40582
Immediate Actions Required
- Upgrade ChurchCRM to version 7.2.0 or later immediately
- Rotate API keys for all user accounts, especially those with elevated privileges
- Review access logs for the /api/public/user/login endpoint for signs of exploitation
- Consider temporarily disabling API access if immediate patching is not possible
Patch Information
The vulnerability has been addressed in ChurchCRM version 7.2.0. The fix ensures that the API login endpoint enforces the same security controls as the standard authentication flow, including account lockout verification and two-factor authentication requirements.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-8cwr-x83m-mh9x. The specific code changes can be reviewed in the associated commit and pull request.
Workarounds
- Restrict network access to the ChurchCRM API endpoints using firewall rules or reverse proxy configurations
- Implement Web Application Firewall (WAF) rules to block or rate-limit requests to /api/public/user/login
- Enforce strong, unique passwords for all ChurchCRM accounts to reduce credential compromise risk
- Monitor and alert on all API authentication attempts until patching is completed
# Example: Block API login endpoint using Apache mod_rewrite (temporary workaround)
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/public/user/login [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
