Cyber Resilience

CVE-2026-39339

Critical

Published: 07 April 2026

Published
07 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0135 67.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39339 is a critical-severity Improper Access Control (CWE-284) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

ChurchCRM, an open-source church management system, contains a critical authentication bypass vulnerability in its API middleware component (ChurchCRM/Slim/Middleware/AuthMiddleware.php) prior to version 7.1.0. The flaw permits unauthenticated access to all protected API endpoints when the string "api/public" appears anywhere in the request URL, exposing church member data and system information. The issue carries a CVSS score of 9.1 and is tracked under CWE-284.

Unauthenticated remote attackers can exploit the weakness over the network without credentials or user interaction to read or modify sensitive data through the affected API endpoints. Successful exploitation grants complete access to protected resources that should require authentication.

The vulnerability is addressed in ChurchCRM 7.1.0, as noted in the project's GitHub security advisory GHSA-v3p2-mx78-pxhc, which recommends upgrading to the fixed release.

EPSS scores for this CVE rose from a lower initial value to a peak of 0.2127, indicating emerging exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete…

more

exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-39339 is an authentication bypass in a public-facing web application's API, enabling unauthenticated remote attackers to access and modify protected data, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Same product: Churchcrm Churchcrm
CVE-2025-11529Same product: Churchcrm Churchcrm
CVE-2026-39327Same product: Churchcrm Churchcrm
CVE-2026-39330Same product: Churchcrm Churchcrm
CVE-2026-39341Same product: Churchcrm Churchcrm
CVE-2026-39326Same product: Churchcrm Churchcrm
CVE-2025-62521Same product: Churchcrm Churchcrm
CVE-2026-39337Same product: Churchcrm Churchcrm
CVE-2026-39318Same product: Churchcrm Churchcrm
CVE-2026-39342Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authenticated access decisions on API endpoints, blocking the middleware bypass that grants unauthenticated access when 'api/public' appears in the URL.

prevent

Requires successful identification and authentication before allowing access to protected ChurchCRM API resources, directly countering the complete authentication bypass.

prevent

Mandates timely remediation of the identified flaw in AuthMiddleware.php by applying the upgrade to version 7.1.0 that closes the URL-based bypass.

References