cbcvebase.
CVE-2026-39339
published 2026-04-07

CVE-2026-39339: ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware…

PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.35%
68.0th percentile
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
churchcrmchurchcrm< 7.1.07.1.0
churchcrmcrm< 7.1.07.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/persons/latest?bypass=/api/public
pathChurchCRM/Slim/Middleware/AuthMiddleware.php
otherapi/public
sigma
matchers: body contains 'PersonId' AND 'FormattedName' AND '"people"'; content_type: application/json; status: 200
  • Flag any HTTP GET request where the URL path contains the string 'api/public' injected as a query parameter or path segment to bypass authentication on protected API endpoints (e.g., ?bypass=/api/public or similar patterns embedding 'api/public' anywhere in the URL).
  • Successful exploitation returns HTTP 200 with a JSON body containing 'PersonId', 'FormattedName', and 'people' fields from an unauthenticated request — monitor for unauthenticated access to /api/persons/ endpoints returning these fields.
  • Use Shodan/FOFA to identify exposed ChurchCRM instances as potential targets: Shodan query 'http.title:"churchcrm"', FOFA query 'app="churchcrm"'.
  • ·The vulnerability affects ChurchCRM versions prior to 7.1.0 only. Instances running 7.1.0 or later are not affected.
  • ·The bypass works by embedding the string 'api/public' anywhere in the request URL — the middleware incorrectly treats any URL containing this substring as a public/unauthenticated route.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.