CVE-2026-39339
published 2026-04-07CVE-2026-39339: ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware…
PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.35%
68.0th percentile
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchcrm | churchcrm | < 7.1.0 | 7.1.0 |
| churchcrm | crm | < 7.1.0 | 7.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: body contains 'PersonId' AND 'FormattedName' AND '"people"'; content_type: application/json; status: 200
- →Flag any HTTP GET request where the URL path contains the string 'api/public' injected as a query parameter or path segment to bypass authentication on protected API endpoints (e.g., ?bypass=/api/public or similar patterns embedding 'api/public' anywhere in the URL). ↗
- →Successful exploitation returns HTTP 200 with a JSON body containing 'PersonId', 'FormattedName', and 'people' fields from an unauthenticated request — monitor for unauthenticated access to /api/persons/ endpoints returning these fields. ↗
- →Use Shodan/FOFA to identify exposed ChurchCRM instances as potential targets: Shodan query 'http.title:"churchcrm"', FOFA query 'app="churchcrm"'. ↗
- ·The vulnerability affects ChurchCRM versions prior to 7.1.0 only. Instances running 7.1.0 or later are not affected. ↗
- ·The bypass works by embedding the string 'api/public' anywhere in the request URL — the middleware incorrectly treats any URL containing this substring as a public/unauthenticated route. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
ChurchCRM - API Authentication Bypass via URL Injection
nuclei·CVSS 9.1
CVE-2026-39339 [CRITICAL] ChurchCRM - API Authentication Bypass via URL Injection
ChurchCRM - API Authentication Bypass via URL Injection
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
Template:
id: CVE-2026-39339
info:
name: ChurchCRM - API Authentication Bypass via URL Injection
author: akhilshekhar
severity: critical
description: |
ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
impact: |
Unauthenticated attackers can access all p
No writeups or analysis indexed.
2026-04-07
Published