How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive church member data and system information, leading to complete exposure of personal data.

Such unauthorized access and data exposure can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

The critical nature of this vulnerability, with high confidentiality and integrity impacts, means affected organizations could face compliance risks, legal liabilities, and reputational damage if exploited.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-39339 is a critical authentication bypass vulnerability in ChurchCRM's API middleware prior to version 7.1.0. The issue arises because the authentication logic incorrectly uses a substring check to detect if the request URI contains "api/public". If this substring appears anywhere in the URL, including query parameters, the middleware skips authentication entirely.

This flaw allows unauthenticated attackers to bypass all API authentication by simply including "api/public" in any part of the request URL. As a result, attackers can access all protected API endpoints without valid credentials.

The vulnerability affects many core API functions, exposing sensitive church member data and system information, and allowing unauthorized actions such as data extraction, background job triggering, geocoding service access, and calendar entry deletion.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including complete exposure of sensitive church member data such as names, emails, creation dates, and family role relationships.

Attackers can perform unauthorized actions like triggering background jobs, accessing geocoding services, and deleting calendar entries without any authentication.

Because the vulnerability allows full pre-authentication access to protected API endpoints, it leads to privacy violations, unauthorized data extraction, potential system abuse, and manipulation of organizational data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing API endpoints for authentication bypass when the substring "api/public" is included anywhere in the request URL, including query parameters.

For example, normally protected endpoints such as /api/persons/latest should return HTTP 401 Unauthorized without the bypass. If adding a query parameter like ?bypass=api/public returns HTTP 200 with data, the system is vulnerable.

Suggested commands to detect the vulnerability include using curl to test endpoints with and without the bypass string:

• curl -i https://yourchurchcrm.example/api/persons/latest
• curl -i https://yourchurchcrm.example/api/persons/latest?bypass=api/public

If the first command returns 401 Unauthorized and the second returns 200 OK with data, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this authentication bypass vulnerability has been fixed.

Until the upgrade can be applied, restrict external access to the API endpoints to trusted networks or IP addresses to reduce exposure.

Additionally, monitor API access logs for suspicious requests containing the substring "api/public" in URLs, which may indicate exploitation attempts.

Useful 0 Not Useful 0