Executive Summary

CVE-2026-39339 is a critical authentication bypass vulnerability in ChurchCRM's API middleware prior to version 7.1.0. The issue arises because the authentication logic incorrectly uses a substring check to detect if the request URI contains "api/public". If this substring appears anywhere in the URL, including query parameters, the middleware skips authentication entirely.

This flaw allows unauthenticated attackers to bypass all API authentication by simply including "api/public" in any part of the request URL. As a result, attackers can access all protected API endpoints without valid credentials.

The vulnerability affects many core API functions, exposing sensitive church member data and system information, and allowing unauthorized actions such as data extraction, background job triggering, geocoding service access, and calendar entry deletion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete exposure of sensitive church member data such as names, emails, creation dates, and family role relationships.

Attackers can perform unauthorized actions like triggering background jobs, accessing geocoding services, and deleting calendar entries without any authentication.

Because the vulnerability allows full pre-authentication access to protected API endpoints, it leads to privacy violations, unauthorized data extraction, potential system abuse, and manipulation of organizational data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing API endpoints for authentication bypass when the substring "api/public" is included anywhere in the request URL, including query parameters.

For example, normally protected endpoints such as /api/persons/latest should return HTTP 401 Unauthorized without the bypass. If adding a query parameter like ?bypass=api/public returns HTTP 200 with data, the system is vulnerable.

Suggested commands to detect the vulnerability include using curl to test endpoints with and without the bypass string:

• curl -i https://yourchurchcrm.example/api/persons/latest
• curl -i https://yourchurchcrm.example/api/persons/latest?bypass=api/public

If the first command returns 401 Unauthorized and the second returns 200 OK with data, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this authentication bypass vulnerability has been fixed.

Until the upgrade can be applied, restrict external access to the API endpoints to trusted networks or IP addresses to reduce exposure.

Additionally, monitor API access logs for suspicious requests containing the substring "api/public" in URLs, which may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive church member data and system information, leading to complete exposure of personal data.

Such unauthorized access and data exposure can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

The critical nature of this vulnerability, with high confidentiality and integrity impacts, means affected organizations could face compliance risks, legal liabilities, and reputational damage if exploited.

Useful 0 Not Useful 0