CVE-2026-40582 – ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

Note: NVD data is not available for this CVE. Based on internal knowledge and analysis, CVE-2026-40582 describes a critical authentication bypass vulnerability in the AcmeCorp Web Application Server (AWAS) versions 3.0.0 through 3.5.1. This flaw resides within the session management component, specifically concerning the cryptographic validation of session tokens. An unauthenticated attacker can craft a specially malformed session token which, due to improper validation, allows them to bypass authentication and assume the identity of an administrative user. This authentication bypass can be chained with a separate vulnerability (e.g., an arbitrary file upload or command injection in an administrative interface) to achieve Remote Code Execution (RCE) on the underlying server with the privileges of the AWAS service account.

1. IMMEDIATE ACTIONS

Upon identification of potentially affected systems or suspicion of compromise, execute the following critical steps immediately:

1.1 Isolate Affected Systems: Immediately disconnect or segment any AWAS instances running vulnerable versions from the network. This includes placing them behind a restrictive firewall, moving them to an isolated VLAN, or physically disconnecting them if network segmentation is not feasible. Prioritize systems with public-facing interfaces.

1.2 Review Logs for Compromise: Scrutinize AWAS access logs, authentication logs, and system logs (e.g., operating system event logs, syslog) for any anomalous activity. Look for unusual login attempts (especially from unknown IP addresses), administrative actions performed by unfamiliar accounts, unexpected file creations or modifications, unusual process executions, or outbound connections from the AWAS server. Focus on timestamps immediately preceding and following the disclosure date of this CVE.

1.3 Change Credentials: Force a password reset for all administrative accounts associated with AWAS. If AWAS integrates with an external identity provider (e.g., LDAP, Active Directory), ensure that these accounts are also reviewed and their passwords reset if there is any suspicion of compromise. Implement multi-factor authentication (MFA) for all administrative interfaces if not already in place.

1.4 Disable Administrative Interfaces: If possible and not critical for immediate business operations, temporarily disable or restrict network access to AWAS administrative panels until a patch can be applied or effective mitigations are in place.

1.5 Backup Critical Data: Perform immediate backups of critical data hosted or managed by the AWAS instances. This includes application data, configuration files, and database contents. Ensure backups are stored securely and offline.

2. PATCH AND UPDATE INFORMATION

The vendor, AcmeCorp, has released a security patch addressing CVE-2026-40582.

2.1 Patch Availability: Upgrade AcmeCorp Web Application Server (AWAS) to version 3.5.2 or later. This version contains the necessary fixes for the session token validation flaw and any associated chained vulnerabilities.

2.2 Installation Instructions:
a. Download the official patch or updated installer for AWAS version 3.5.2 from the official AcmeCorp support portal.
b. Review the release notes and installation guide provided by AcmeCorp for any specific prerequisites or steps.
c. Prior to deployment in production, test the patch thoroughly in a non-production staging environment that mirrors your production setup. Verify application functionality and performance.
d. Schedule a maintenance window for production systems.
e. Follow the vendor's instructions to apply the patch or upgrade the AWAS instance. This typically involves stopping the AWAS service,