ChurchCRM: Username Enumeration via Differential Response in Public Login API

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.

Basic Information

ID CVE-2026-40485

Source GitHub_M

Published Apr 17, 2026 at 23:29

Affected Product

Vendor ChurchCRM

Product CRM

Version < 7.2.0

Affected Versions ChurchCRM CRM < 7.2.0

CWE Classification

CWE-307 CWE-204

References

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference to enumerate valid usernames, with no rate limiting or account lockout to impede the process. This issue has been fixed in version 7.2.0.",
    "published": "2026-04-17T23:29:35.884Z",
    "modified": "2026-04-17T23:29:35.884Z",
    "type": "cve",
    "title": "ChurchCRM: Username Enumeration via Differential Response in Public Login API",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-x2qh-xmhq-4jpx\nhttps://github.com/ChurchCRM/CRM/pull/8607\nhttps://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850",
    "id": "CVE-2026-40485",
    "bulletinFamily": "",
    "cwe": [
        "CWE-307",
        "CWE-204"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 7.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 7.2.0",
    "vendor": "ChurchCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ChurchCRM: Username Enumeration via Differential Response in Public Login API_CVE-2026-40485