Critical Vulnerability Information Vulnerability Name ChurchCRM — API Authentication Bypass (minimal PoC) Status Fixed (PR #7376 merged Oct 4, 2025) — CVE pending/requested Severity Critical — CVSS v3.1 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) Affected Versions ChurchCRM = 5.18.1 (patch merged in PR #7376 — confirm release tag) Fix PR ChurchCRM/CRM#7376 (merge commit 3a1cffd) Summary A critical authentication bypass vulnerability exists in ChurchCRM's API middleware, allowing unauthenticated attackers to access and manipulate protected API endpoints by including the substring in the request URI. The root cause is that string matching is performed on the full URI rather than the request path. Minimal PoC Timeline 2025-09-26 — Reported privately via GitHub Security Advisory. 2025-10-04 — Fix merged into PR #7376; maintainer closed the private advisory.