How severe is CVE-2026-39339?

CVE-2026-39339 is rated critical severity with a CVSS score of 9.1 out of 10.

What products are affected by CVE-2026-39339?

CVE-2026-39339 affects Churchcrm Churchcrm. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-39339?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

ChurchCRM Auth Bypass (CVE-2026-39339)

Patch now - CVE-2026-39339 is a critical authentication bypass vulnerability in ChurchCRM versions prior to 7.1.0 that lets any unauthenticated attacker query all protected API endpoints, gaining complete access to member directories, financial records, and system config.

Overview

A critical security flaw in ChurchCRM allows unauthenticated attackers to bypass authentication entirely and access sensitive data. The vulnerability, tracked as CVE-2026-39339, exists in versions prior to 7.1.0 and has a CVSS score of 9.1.

Vulnerability Details

The flaw resides in the API authentication middleware (AuthMiddleware.php). The middleware incorrectly validates request URLs. If the string “api/public” appears anywhere in the request URL path, the middleware incorrectly treats the entire request as a public call, skipping all authentication checks. This allows any attacker to directly query protected API endpoints without providing valid credentials.

Impact

The impact of this vulnerability is severe. Attackers can access every protected API endpoint, which typically includes:

Complete church member directories (names, addresses, contact details).
Financial contribution records and other sensitive pastoral data.
System configuration information. This constitutes a total compromise of the application’s data security, leading to a significant privacy breach for the congregation. For more on the consequences of such exposures, see our breach reports.

Remediation and Mitigation

The only complete remediation is to immediately upgrade ChurchCRM to version 7.1.0 or later, which contains the fix. Action Steps:

Update Immediately: All instances running a version below 7.1.0 must be upgraded to the patched release.
Audit Access Logs: Review web server and application logs for suspicious requests containing “api/public” from unauthorized IP addresses.
Assume Compromise: Given the ease of exploitation, organizations should assume member data may have been accessed and follow relevant data breach notification procedures.

If an immediate upgrade is not possible, as a temporary and incomplete mitigation, consider restricting network access to the ChurchCRM application to known trusted networks only. However, this does not fix the underlying vulnerability.

Security Insight

This vulnerability highlights the danger of flawed path-matching logic in security middleware, a recurring theme in web application flaws. Similar to past incidents in other platforms, a single logic error in a central authentication component can nullify the entire security model. It underscores the critical need for rigorous, negative-testing of security controls-ensuring they fail securely rather than granting excessive access. For ongoing coverage of similar threats, follow our security news.

ChurchCRM Auth Bypass (CVE-2026-39339)

Overview

Vulnerability Details

Impact

Remediation and Mitigation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Churchcrm Churchcrm Vulnerabilities

Overview

Vulnerability Details

Impact

Remediation and Mitigation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Churchcrm Churchcrm Vulnerabilities

Never Miss a Critical Alert