CVE-2026-39339 Scanner

ChurchCRM is a church management system used by religious organizations to manage member relationships, activities, and communication. It is widely implemented by churches for efficient management of congregation data and church operations. ChurchCRM is used by church administrators and leaders to streamline tasks related to event scheduling, contribution tracking, and generating various reports. This software allows users to automate several administrative tasks, reducing the burden on church staff and volunteers. It integrates various functionalities to ensure comprehensive data management, offering a digital approach for the church community. Due to its vital role in managing sensitive member data, maintaining the security of ChurchCRM is crucial.

The detected vulnerability in ChurchCRM is an Authentication Bypass that arises from improper API middleware URL handling. Specifically, it affects the AuthMiddleware component, allowing attackers to exploit URL injection vulnerabilities. This type of vulnerability enables unauthenticated users to gain access to endpoints that should be protected. Attackers are thus granted access to sensitive church member data and confidential system information without proper authentication. This weakness can particularly impact systems with versions of ChurchCRM prior to 7.1.0. It is essential to understand and address this vulnerability to prevent unauthorized access to critical church data.

Technically, the vulnerability roots from insufficient handling in the URL mechanism within the 'AuthMiddleware.php' file. Attackers can exploit this flaw by crafting a specific request URL that circumvents authentication controls. The vulnerable endpoint is accessible through inserting specific parameters within the request URL to bypass authentication checks. The vulnerability, identified by parameters such as 'api/public', directly impacts the API authentication mechanism. One key endpoint involves the '/api/persons/latest', which should be protected but becomes vulnerable due to URL manipulation. By exploiting this, attackers can successfully retrieve sensitive member information encapsulated in JSON format.

The successful exploitation of this authentication bypass vulnerability could lead to severe consequences for affected churches. It can result in unauthorized access to confidential member data, potentially leading to privacy violations. Attackers could gather personal information on church members, such as names and personal identifiers. Moreover, the exposure of system information could be leveraged for further cyberattacks or exploitation. The availability of sensitive data without restriction increases the risk for all individuals involved and potentially damages the reputation and trust in the church's management system.

REFERENCES

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc