CVE-2026-39339 Overview
CVE-2026-39339 is a critical authentication bypass vulnerability affecting ChurchCRM, an open-source church management system. Prior to version 7.1.0, a flaw in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL. This vulnerability leads to complete exposure of sensitive church member data and system information, posing significant risks to organizations using affected versions.
Critical Impact
Unauthenticated attackers can bypass all API authentication controls and gain complete access to protected endpoints, exposing sensitive church member personal information and system data.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM API Middleware (AuthMiddleware.php)
- All ChurchCRM deployments using the vulnerable Slim Framework middleware
Discovery Timeline
- 2026-04-07 - CVE-2026-39339 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39339
Vulnerability Analysis
This authentication bypass vulnerability (CWE-284: Improper Access Control) exists in the AuthMiddleware.php file within ChurchCRM's Slim Framework implementation. The middleware responsible for protecting API endpoints contains a flawed URL validation mechanism that fails to properly verify authentication status when certain URL patterns are present.
The vulnerability allows attackers to completely circumvent authentication controls by manipulating the request URL. When the string "api/public" appears anywhere within the request path, the middleware incorrectly treats the request as accessing a public endpoint, regardless of whether the actual target endpoint requires authentication. This design flaw enables full access to protected resources including member databases, financial records, and administrative functions without any credentials.
The attack can be executed remotely over the network without requiring any privileges or user interaction. Successful exploitation results in high-impact compromise of data confidentiality and integrity, though system availability remains unaffected.
Root Cause
The root cause lies in improper input validation within the AuthMiddleware.php file. The middleware uses a flawed string matching algorithm that checks if "api/public" exists anywhere in the URL path rather than validating that the URL specifically targets a designated public endpoint. This allows attackers to craft malicious URLs that include the bypass string while still routing to protected endpoints.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests to any protected API endpoint while including "api/public" as a substring in the URL path. The middleware's flawed validation logic will then skip authentication checks entirely, granting the attacker full access to the requested resource.
For example, an attacker could craft a URL path that contains "api/public" while still targeting sensitive endpoints like member management, donation records, or administrative functions. The vulnerability is trivial to exploit and requires only basic knowledge of HTTP request manipulation.
Technical details and proof-of-concept information are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-39339
Indicators of Compromise
- Unusual API requests containing "api/public" substring patterns in unexpected URL positions
- Unauthenticated access attempts to normally protected API endpoints
- Anomalous data access patterns from external IP addresses without valid session tokens
- Log entries showing successful API responses to requests that should require authentication
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing suspicious "api/public" patterns in non-standard URL positions
- Monitor HTTP access logs for requests to protected endpoints that lack authentication headers or session cookies
- Deploy intrusion detection systems (IDS) with custom signatures targeting the authentication bypass pattern
- Audit API access logs for unauthorized data retrieval operations
Monitoring Recommendations
- Enable detailed logging for all API middleware authentication decisions
- Configure alerting for API access patterns that deviate from established baselines
- Monitor for bulk data extraction attempts that could indicate post-exploitation activity
- Review access logs regularly for requests containing anomalous URL patterns targeting sensitive endpoints
How to Mitigate CVE-2026-39339
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- If immediate upgrade is not possible, restrict network access to the ChurchCRM application
- Review API access logs for signs of historical exploitation
- Implement web application firewall rules to block requests containing suspicious URL patterns
Patch Information
The vulnerability is fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later as soon as possible. The patch corrects the flawed URL validation logic in the AuthMiddleware.php file to properly enforce authentication requirements on all protected endpoints.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Place a reverse proxy or WAF in front of ChurchCRM to filter malicious requests
- Implement network-level access controls to limit who can reach the ChurchCRM API
- Disable public network access to the application until patching is complete
- Consider temporarily disabling API functionality if it is not critical to operations
# Example nginx configuration to block suspicious requests
location ~* api/public {
# Only allow legitimate public API paths
if ($uri !~ "^/api/public/") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
