CVE-2026-40480

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description An issue exists in the API layer where the 'GET /api/person/{personId}' endpoint returns person records without performing object-level authorization checks. While the legacy PersonView.php page enforces restrictions via the canEditPerson() function, the API fails to do so. This allows any authenticated user with EditSelf privileges to enumerate and read records of other members, leading to the disclosure of sensitive personally identifiable information (PII) such as names, addresses, phone numbers, and email addresses.

Recommendations Update to version 7.2.0.