ChurchCRM Auth Bypass (CVE-2026-39339)

Overview

A critical security flaw in ChurchCRM allows unauthenticated attackers to bypass authentication entirely and access sensitive data. The vulnerability, tracked as CVE-2026-39339, exists in versions prior to 7.1.0 and has a CVSS score of 9.1.

Vulnerability Details

The flaw resides in the API authentication middleware (AuthMiddleware.php). The middleware incorrectly validates request URLs. If the string “api/public” appears anywhere in the request URL path, the middleware incorrectly treats the entire request as a public call, skipping all authentication checks. This allows any attacker to directly query protected API endpoints without providing valid credentials.

Impact

The impact of this vulnerability is severe. Attackers can access every protected API endpoint, which typically includes:

• Complete church member directories (names, addresses, contact details).
• Financial contribution records and other sensitive pastoral data.
• System configuration information. This constitutes a total compromise of the application’s data security, leading to a significant privacy breach for the congregation. For more on the consequences of such exposures, see our breach reports.

Remediation and Mitigation

The only complete remediation is to immediately upgrade ChurchCRM to version 7.1.0 or later, which contains the fix. Action Steps:

1. Update Immediately: All instances running a version below 7.1.0 must be upgraded to the patched release.
2. Audit Access Logs: Review web server and application logs for suspicious requests containing “api/public” from unauthorized IP addresses.
3. Assume Compromise: Given the ease of exploitation, organizations should assume member data may have been accessed and follow relevant data breach notification procedures.

If an immediate upgrade is not possible, as a temporary and incomplete mitigation, consider restricting network access to the ChurchCRM application to known trusted networks only. However, this does not fix the underlying vulnerability.

Security Insight

This vulnerability highlights the danger of flawed path-matching logic in security middleware, a recurring theme in web application flaws. Similar to past incidents in other platforms, a single logic error in a central authentication component can nullify the entire security model. It underscores the critical need for rigorous, negative-testing of security controls-ensuring they fail securely rather than granting excessive access. For ongoing coverage of similar threats, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs