Q: Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-284** (Improper Access Control). The flaw lies in `ChurchCRM/Slim/Middleware/AuthMiddleware.php` due to improper URL handling in the API middleware.

Q: Who is affected? (Versions/Components)

🏢 **Affected**: **ChurchCRM** (Open Source CRM for Churches). 📦 **Version**: All versions **prior to 7.1.0**. 🧩 **Component**: API Middleware.

Q: What can hackers do? (Privileges/Data)

💀 **Attacker Capabilities**: Access **unrestricted data** via protected APIs. 📂 **Privileges**: No authentication required. 📊 **Impact**: High Confidentiality & Integrity loss (CVSS: C:H, I:H).

Q: Is exploitation threshold high? (Auth/Config)

⚡ **Threshold**: **LOW**. 🌐 **Network**: Remote (AV:N). 🔑 **Auth**: None required (PR:N). 🖱️ **UI**: None required (UI:N). 🎯 **Complexity**: Low (AC:L).

Q: Is there a public Exp? (PoC/Wild Exploitation)

🔓 **Exploit**: **Yes**. Public PoC exists via Nuclei templates. 📝 **Method**: Crafted request URL with `api/public` path bypasses middleware checks.

Q: How to self-check? (Features/Scanning)

🔍 **Self-Check**: Scan for ChurchCRM instances. 🧪 **Test**: Send crafted requests to `/api/public` endpoints. 📡 **Tool**: Use Nuclei template `CVE-2026-39339.yaml` for automated detection.

Q: Is it fixed officially? (Patch/Mitigation)

🩹 **Fix**: **Yes**. Official patch released in **Version 7.1.0**. 📢 **Source**: GitHub Security Advisory (GHSA-v3p2-mx78-pxhc).

Q: What if no patch? (Workaround)

🚧 **Workaround**: If unpatched, **block external access** to `/api/public` endpoints via WAF or firewall rules. 🛑 Restrict API middleware URL patterns.

Q: Is it urgent? (Priority Suggestion)

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Score indicates High Impact. ⏳ Immediate patching to v7.1.0 is strongly recommended to prevent data breaches.

Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **Essence**: ChurchCRM < 7.1.0 has an **Authentication Bypass** in its API middleware. 📉 **Consequences**: Unauthenticated attackers can access **all protected API endpoints**, leading to total data compromise.

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause**: **CWE-284** (Improper Access Control). The flaw lies in `ChurchCRM/Slim/Middleware/AuthMiddleware.php` due to improper URL handling in the API middleware.

Question 3

Who is affected? (Versions/Components)

Accepted Answer

🏢 **Affected**: **ChurchCRM** (Open Source CRM for Churches). 📦 **Version**: All versions **prior to 7.1.0**. 🧩 **Component**: API Middleware.

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

💀 **Attacker Capabilities**: Access **unrestricted data** via protected APIs. 📂 **Privileges**: No authentication required. 📊 **Impact**: High Confidentiality & Integrity loss (CVSS: C:H, I:H).

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

⚡ **Threshold**: **LOW**. 🌐 **Network**: Remote (AV:N). 🔑 **Auth**: None required (PR:N). 🖱️ **UI**: None required (UI:N). 🎯 **Complexity**: Low (AC:L).

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

🔓 **Exploit**: **Yes**. Public PoC exists via Nuclei templates. 📝 **Method**: Crafted request URL with `api/public` path bypasses middleware checks.

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **Self-Check**: Scan for ChurchCRM instances. 🧪 **Test**: Send crafted requests to `/api/public` endpoints. 📡 **Tool**: Use Nuclei template `CVE-2026-39339.yaml` for automated detection.

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

🩹 **Fix**: **Yes**. Official patch released in **Version 7.1.0**. 📢 **Source**: GitHub Security Advisory (GHSA-v3p2-mx78-pxhc).

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **Workaround**: If unpatched, **block external access** to `/api/public` endpoints via WAF or firewall rules. 🛑 Restrict API middleware URL patterns.

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Score indicates High Impact. ⏳ Immediate patching to v7.1.0 is strongly recommended to prevent data breaches.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-39339 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring