CVE-2026-39339
Published: 07 April 2026
Summary
CVE-2026-39339 is a critical-severity Improper Access Control (CWE-284) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to protected resources, directly mitigating the API middleware flaw that bypassed authentication via URL manipulation.
Mandates timely identification, reporting, and correction of system flaws like the authentication bypass fixed in ChurchCRM 7.1.0.
Limits and documents actions permitted without identification or authentication, countering improper middleware logic that allowed protected API access via 'api/public' in URLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-39339 is an authentication bypass in a public-facing web application's API, enabling unauthenticated remote attackers to access and modify protected data, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete…
more
exposure of church member data and system information. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39339 is a critical authentication bypass vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The issue stems from a flaw in the API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php), which permits unauthenticated access to all protected API endpoints when "api/public" is included anywhere in the request URL (CWE-284). This exposes sensitive church member data and system information.
Unauthenticated attackers with network access can exploit the vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation allows full bypass of authentication controls, resulting in high confidentiality and integrity impacts, such as unauthorized reading and modification of protected data across the API.
The vulnerability is addressed in ChurchCRM version 7.1.0. For mitigation details, practitioners should consult the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc.
Details
- CWE(s)