CVE-2026-39339

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains a critical authentication bypass issue in its API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php). Attackers can bypass authentication and access all protected API endpoints by including "api/public" in the request URL. This allows complete exposure of church member data and system information.

Recommendations Update to version 7.1.0.