Impact
ChurchCRM's API middleware contains a critical authentication bypass that allows unauthenticated attackers to access all protected API endpoints by including the string "api/public" anywhere in the request URL. This flaw enables an attacker to retrieve complete member data and system information, exposing personal data and operational details. The vulnerability is identified as CWE-284.
Affected Systems
The affected product is ChurchCRM:CRM. Versions prior to 7.1.0 are vulnerable; the issue was fixed in version 7.1.0. No other versions are listed as affected.
Risk and Exploitability
The CVSS score of 9.1 classifies the vulnerability as high severity. The EPSS score indicates a low exploitation probability of 1%, and the CVE is not listed in the CISA KEV catalog. The attack vector likely involves sending crafted HTTP requests to the API endpoints; thus any network user with API access can exploit the bypass. Successful exploitation would compromise the confidentiality and integrity of church member data and expose system information for misuse.
OpenCVE Enrichment