Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 9.1 Critical
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ChurchCRM's API middleware contains a critical authentication bypass that allows unauthenticated attackers to access all protected API endpoints by including the string "api/public" anywhere in the request URL. This flaw enables an attacker to retrieve complete member data and system information, exposing personal data and operational details. The vulnerability is identified as CWE-284.

Affected Systems

The affected product is ChurchCRM:CRM. Versions prior to 7.1.0 are vulnerable; the issue was fixed in version 7.1.0. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.1 classifies the vulnerability as high severity. The EPSS score indicates a low exploitation probability of 1%, and the CVE is not listed in the CISA KEV catalog. The attack vector likely involves sending crafted HTTP requests to the API endpoints; thus any network user with API access can exploit the bypass. Successful exploitation would compromise the confidentiality and integrity of church member data and expose system information for misuse.

Generated by OpenCVE AI on June 18, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later to remove the authentication bypass flaw
  • Implement network or firewall rules to block direct access to all API endpoints, especially those containing the path segment "api/public" to hinder unauthenticated requests
  • Continuously monitor API access logs for anomalous activity and investigate any unexpected requests after applying the patch to ensure the vulnerability has been fully mitigated

Generated by OpenCVE AI on June 18, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has an API Authentication Bypass
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:59:11.055Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39339

cve-icon Vulnrichment

Updated: 2026-04-07T19:11:59.800Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:45.880

Modified: 2026-06-17T10:41:57.390

Link: CVE-2026-39339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:30:15Z

Weaknesses