Improper access control in ChurchCRM - CVE-2025-66397
Published: May 5, 2026
Vulnerability identifier: #VU129710
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-66397
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to perform unauthorized kiosk management actions.
The vulnerability exists due to improper access control in the Kiosk Manager API endpoints when handling authenticated requests to kiosk management functions. A remote user can send crafted requests to perform unauthorized kiosk management actions.
The issue affects the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions that are intended for administrator use.
How to mitigate CVE-2025-66397
Install security update from vendor's website.