ChurchCRM 2FA and Account Lockout Bypass Vulnerability in Public API Login

A vulnerability in ChurchCRM versions 7.2.0 to 7.2.2 allows for bypassing two-factor authentication (2FA) and account lockout controls in the public API login route. This issue arises from an incomplete fix for a previously identified vulnerability, CVE-2026-40582, which was supposed to harden the API login by enforcing 2FA and lockout checks. However, the necessary changes were inadvertently removed before the 7.2.2 release, leaving all 7.2.x versions exploitable. The vulnerability allows attackers to use valid credentials to log in via the API, bypassing 2FA and lockout measures, and obtain the user's API key, which can be used to access sensitive data through protected API routes.

Impact

Exploitation of this vulnerability allows attackers to bypass 2FA and account lockout controls, obtain the user's API key, and access sensitive information through protected API routes.

Reproduction

The vulnerability can be reproduced by logging into a ChurchCRM account with 2FA enabled via the public API login endpoint. This can be done by sending a POST request with the username and password. The API response will include the user's API key, which can then be used to access protected routes, such as those related to financial data.

Remediation

Users can upgrade to ChurchCRM version 7.3.1, where this vulnerability has been fixed.