Main Vulnerability Database Vulnerabilities #VU129693

Improper access control in ChurchCRM - #VU129693

Published: May 5, 2026

Vulnerability identifier: #VU129693

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in src/kiosk/routes/device.php when handling requests to the activeClassMember photo endpoint. A remote attacker can request photos for arbitrary PersonId values to disclose sensitive information.

The endpoint can be abused by iterating PersonId values.

Remediation

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7775-g7p9-8fr6
https://github.com/advisories/GHSA-7775-g7p9-8fr6

Improper access control in ChurchCRM - #VU129693

Detailed vulnerability description

Remediation

Sources

Please verify you're human