CVE-2026-40582

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The '/api/public/user/login' endpoint validates only the username and password before returning the user's API key. This process bypasses the standard authentication flow, which includes account lockout and two-factor authentication (2FA) checks. An attacker who knows a user's password can obtain API access and reach all protected API endpoints with that user's privileges, even if the account is locked or 2FA is enabled.

Recommendations Update to version 7.2.0.