CVE-2026-39339

ChurchCRM · ChurchCRM

An authentication bypass vulnerability in ChurchCRM's API middleware allows unauthenticated attackers to access protected API endpoints, exposing sensitive member data and system information.

Executive summary

A critical authentication bypass in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to gain unauthorized access to restricted API endpoints.

Vulnerability

This is an authentication bypass vulnerability located in the ChurchCRM/Slim/Middleware/AuthMiddleware.php file. Unauthenticated attackers can circumvent security controls by injecting "api/public" into the request URL.

Business impact

The vulnerability poses a severe risk to data confidentiality and integrity, as it allows unauthorized access to church member databases and internal system metadata. With a CVSS score of 9.1, this flaw could lead to mass data exfiltration and potential regulatory non-compliance regarding sensitive personal information.

Remediation

Immediate Action: Upgrade all instances of ChurchCRM to version 7.1.0 or later immediately to apply the necessary middleware security patch.

Proactive Monitoring: Review web server and application access logs for unusual patterns, specifically monitoring for requests containing "api/public" strings targeting protected endpoints.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or sanitize incoming requests containing "api/public" in the URL path until the patch can be deployed.

Exploitation status

Public Exploit Available: Not specified.

Analyst recommendation

The severity of this authentication bypass cannot be overstated, as it provides a direct path to sensitive internal data without requiring credentials. Organizations must prioritize the update to version 7.1.0 to eliminate this exposure and prevent unauthorized access to their management systems.