Is PHP affected by CVE-2026-39339?

ChurchCRM versions prior to 7.1.0 contain a critical authentication bypass in the API middleware that allows unauthenticated attackers to access protected endpoints and expose complete member databases and system configurations through simple URL path manipulation.

CVE-2026-39339

EUVD-2026-19839 CRITICAL

2026-04-07 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:22 euvd

EUVD-2026-19839

Analysis Generated

Apr 07, 2026 - 18:22 vuln.today

CVE Published

Apr 07, 2026 - 18:16 nvd

CRITICAL 9.1

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0.

Analysis

Authentication bypass in ChurchCRM API middleware enables unauthenticated remote attackers to access all protected endpoints by manipulating URL paths with 'api/public' strings, exposing complete church member databases and system configurations. Affects ChurchCRM versions prior to 7.1.0 with critical CVSS 9.1 rating. …

Remediation

Within 24 hours: Identify all ChurchCRM installations and determine current versions; immediately isolate any internet-exposed instances or restrict API access to trusted networks only. Within 7 days: Contact ChurchCRM vendor for patch availability timeline and escalate to leadership; implement network-level controls (WAF rules, API gateway restrictions) to block requests containing 'api/public' path manipulation patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2026-39339 vulnerability details – vuln.today

Back

CVE-2026-39339

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39339

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code