Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0.
Published: 2026-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Personal Identifiable Information
Action: Immediate Patch
AI Analysis

Impact

A missing object‑level authorization check on the GET /api/person/{personId} endpoint allows any authenticated user with basic EditSelf privileges to read any member’s record. The data returned contains names, addresses, phone numbers and e‑mail addresses, so the flaw results in a confidentiality breach of sensitive personal information. The underlying weakness is an IDOR (CWE‑639) coupled with improper authorization controls (CWE‑862).

Affected Systems

ChurchCRM, an open‑source church management system, is affected in all releases older than version 7.2.0. The vulnerability exists across the CRM product family, as specified by the CNA vendor product list ChurchCRM:CRM. No specific patch level is listed in the CVE description for newer releases beyond 7.2.0, which includes the mitigation for this issue.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity flaw. Because the flaw requires only authentication and a standard EditSelf role, it is trivially exploitable by any logged‑in user, making the risk high in environments lacking additional controls. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the lack of defensive checks in the API layer makes the attack path straightforward: guess sequential person IDs and retrieve PII for each record without further authorization verification.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.2.0 or later where the GET /api/person/{personId} endpoint includes proper object‑level authorization checks.
  • If an upgrade is not immediately possible, re‑configure the API or the permission model to deny GET /api/person/{personId} requests for users who only possess EditSelf privileges, ensuring that only users with explicit viewing rights can access person records.
  • Audit the database for any exposed PII that may have been accessed by unauthorized users and apply remediation actions such as data sanitization, user notification and, if necessary, remediation of compromised accounts.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0.
Title ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`
Weaknesses CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:07:30.126Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40480

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:38.960

Modified: 2026-04-18T00:16:38.960

Link: CVE-2026-40480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses