CVE-2026-39339
Published: 07 April 2026
Summary
CVE-2026-39339 is a critical-severity Improper Access Control (CWE-284) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
ChurchCRM, an open-source church management system, contains a critical authentication bypass vulnerability in its API middleware component (ChurchCRM/Slim/Middleware/AuthMiddleware.php) prior to version 7.1.0. The flaw permits unauthenticated access to all protected API endpoints when the string "api/public" appears anywhere in the request URL, exposing church member data and system information. The issue carries a CVSS score of 9.1 and is tracked under CWE-284.
Unauthenticated remote attackers can exploit the weakness over the network without credentials or user interaction to read or modify sensitive data through the affected API endpoints. Successful exploitation grants complete access to protected resources that should require authentication.
The vulnerability is addressed in ChurchCRM 7.1.0, as noted in the project's GitHub security advisory GHSA-v3p2-mx78-pxhc, which recommends upgrading to the fixed release.
EPSS scores for this CVE rose from a lower initial value to a peak of 0.2127, indicating emerging exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19839
Vulnerability details
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete…
more
exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-39339 is an authentication bypass in a public-facing web application's API, enabling unauthenticated remote attackers to access and modify protected data, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access decisions on API endpoints, blocking the middleware bypass that grants unauthenticated access when 'api/public' appears in the URL.
Requires successful identification and authentication before allowing access to protected ChurchCRM API resources, directly countering the complete authentication bypass.
Mandates timely remediation of the identified flaw in AuthMiddleware.php by applying the upgrade to version 7.1.0 that closes the URL-based bypass.