CVE-2026-39339

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.1571 94.8th percentile

Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete…

exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved authorizations for access to protected resources, directly mitigating the API middleware flaw that bypassed authentication via URL manipulation.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely identification, reporting, and correction of system flaws like the authentication bypass fixed in ChurchCRM 7.1.0.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Limits and documents actions permitted without identification or authentication, countering improper middleware logic that allowed protected API access via 'api/public' in URLs.

Security SummaryAI

CVE-2026-39339 is a critical authentication bypass vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The issue stems from a flaw in the API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php), which permits unauthenticated access to all protected API endpoints when "api/public" is included anywhere in the request URL (CWE-284). This exposes sensitive church member data and system information.

Unauthenticated attackers with network access can exploit the vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation allows full bypass of authentication controls, resulting in high confidentiality and integrity impacts, such as unauthorized reading and modification of protected data across the API.

The vulnerability is addressed in ChurchCRM version 7.1.0. For mitigation details, practitioners should consult the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc.

Details

CWE(s): CWE-284

Affected Products

churchcrm

≤ 7.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-39339 is an authentication bypass in a public-facing web application's API, enabling unauthenticated remote attackers to access and modify protected data, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc
Third Party Advisory · security-advisories@github.com
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0