CVE-2026-39339 CRITICAL

CVE-2026-39339: ChurchCRM has an API Authentication Bypass

Vendor Churchcrm
Product CRM
Weakness CWE-284
Published April 7, 2026
Last update April 7, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 7, 2026 Record updated