Improper access control in ChurchCRM - CVE-2026-39339
Published: May 5, 2026
Vulnerability identifier: #VU129704
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-39339
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and access protected API endpoints.
The vulnerability exists due to improper access control in src/ChurchCRM/Slim/Middleware/AuthMiddleware.php when handling request URIs containing "api/public". A remote attacker can send a specially crafted request with "api/public" in the URL to bypass authentication and access protected API endpoints.
This can expose church member data and system information, and some endpoints may also permit actions such as triggering background jobs or manipulating calendar resources.
How to mitigate CVE-2026-39339
Install security update from vendor's website.