Missing Critical Step in Authentication in ChurchCRM - #VU129713
Published: May 5, 2026
Vulnerability identifier: #VU129713
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-304
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to bypass two-factor authentication and account lockout to obtain an API key and access protected API routes.
The vulnerability exists due to missing critical steps in authentication in the public API login handler in src/api/routes/public/public-user.php when processing password-only login requests to /api/public/user/login. A remote user can send valid credentials to obtain an API key and access protected API routes.
The browser login path enforces two-factor authentication and lockout checks, but the API token authentication path does not re-check those controls, and demonstrated access included finance data.
Remediation
Install security update from vendor's website.