Skip to main content

PHP CVE-2026-39339

| EUVD-2026-19839 CRITICAL
Improper Access Control (CWE-284)
2026-04-07 security-advisories@github.com
PHP Authentication Bypass
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7.1.0
EUVD ID Assigned
Apr 07, 2026 - 18:22 euvd
EUVD-2026-19839
Analysis Generated
Apr 07, 2026 - 18:22 vuln.today
CVE Published
Apr 07, 2026 - 18:16 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

AnalysisAI

Authentication bypass in ChurchCRM API middleware enables unauthenticated remote attackers to access all protected endpoints by manipulating URL paths with 'api/public' strings, exposing complete church member databases and system configurations. Affects ChurchCRM versions prior to 7.1.0 with critical CVSS 9.1 rating. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft HTTP request with 'api/public' in URL
Exploit
Bypass AuthMiddleware authentication check
Execution
Access protected API endpoints
Impact
Retrieve sensitive church member data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker exploits ChurchCRM versions prior to 7.1.0 by including 'api/public' anywhere in API request URL to bypass AuthMiddleware.php authentication checks. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents critical real-world risk despite absence of confirmed active exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker scans the internet for ChurchCRM installations using Shodan or similar reconnaissance tools, identifying instances by characteristic login pages or HTTP headers. The attacker crafts HTTP requests to protected API endpoints such as '/api/members/list' but injects 'api/public' into the URL path (e.g., '/api/public/../members/list' or '/api/members/list?path=api/public'). …
Remediation Immediately upgrade to ChurchCRM version 7.1.0 which contains the authentication bypass fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all ChurchCRM instances in your environment and document current versions; verify network access controls restricting API endpoints to authorized users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-39339 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy