{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.393Z", "datePublished": "2026-04-07T17:58:50.015Z", "dateUpdated": "2026-04-07T19:59:11.055Z"}, "containers": {"cna": {"title": "ChurchCRM has an API Authentication Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:58:50.015Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including \"api/public\" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-v3p2-mx78-pxhc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:11:51.878805Z", "id": "CVE-2026-39339", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:59:11.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39339", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T19:11:51.878805Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:11:59.800Z"}}], "cna": {"title": "ChurchCRM has an API Authentication Bypass", "source": {"advisory": "GHSA-v3p2-mx78-pxhc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including \"api/public\" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:58:50.015Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39339", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:59:11.055Z", "dateReserved": "2026-04-06T20:28:38.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:58:50.015Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including \"api/public\" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39339", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:45.880", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T21:57:01.409987+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later as the official fix.", "Verify that API requests bearing \"api/public\" no longer bypass authentication and that authentication middleware is active for all endpoints.", "Review and disable any unnecessary administrative or public interfaces in the server configuration.", "Monitor application logs for anomalous API activity until the upgrade is confirmed to be applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to all protected API data"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the ChurchCRM CRM product in versions older than 7.1.0. While a precise patch version range is not listed, any installation running 7.0 or earlier is susceptible.", "description_and_impact": "ChurchCRM\u2019s API middleware allows an unauthenticated attacker to access every protected endpoint by simply including \"api/public\" in the request URL. This bypass removes the authentication check, enabling the attacker to retrieve sensitive member information and system data, a clear privilege\u2011escalation issue covered by CWE\u2011284.", "risk_and_exploitability": "With a CVSS score of 9.1, the flaw is deemed critical. EPSS data is unavailable, and the vulnerability is not yet in the KEV catalog, yet the attack path is straightforward: a remote attacker can target the exposed API over the network and obtain all protected data. Without remediation, systems remain at very high risk until patched."}}}}, "created": "2026-04-08T19:46:52.914713+00:00", "updated": "2026-04-08T19:46:52.914739+00:00", "vendors": []}