CVE-2026-40485

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The public API login endpoint '/api/public/user/login' returns different HTTP response codes depending on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can use this behavior to enumerate valid usernames, as there is no rate limiting or account lockout mechanism to prevent the process.

Recommendations Update to version 7.2.0.