Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 9.1 Critical
EPSS: 19.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ChurchCRM's API middleware contains a critical authentication bypass that allows unauthenticated attackers to access all protected API endpoints by including the string "api/public" anywhere in the request URL. This flaw enables an attacker to retrieve complete member data and system information, exposing personal data and operational details. The vulnerability falls under the weakness type CWE-284: Improper Permission Assignment.

Affected Systems

The affected product is ChurchCRM:CRM. Versions prior to 7.1.0 are vulnerable; the issue was fixed in version 7.1.0. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity vulnerability. EPSS reporting indicates a very low exploitation probability of 0.19%, and the CVE is not present in the CISA KEV catalog. The likely attack vector involves sending crafted HTTP requests to the API endpoints, so exposure is possible to any network user who can reach the API surface. If exploited, confidentiality and integrity of church member data are compromised and system information could be misused.

Generated by OpenCVE AI on May 22, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later to remove the authentication bypass flaw
  • Implement network or firewall rules to block direct access to all API endpoints, especially those containing the path segment "api/public" to hinder unauthenticated requests
  • Continuously monitor API access logs for anomalous activity and investigate any unexpected requests after applying the patch to ensure the vulnerability has been fully mitigated

Generated by OpenCVE AI on May 22, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has an API Authentication Bypass
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:59:11.055Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39339

cve-icon Vulnrichment

Updated: 2026-04-07T19:11:59.800Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:45.880

Modified: 2026-04-10T20:59:05.223

Link: CVE-2026-39339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:00:14Z

Weaknesses