CVE-2025-11529
ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.
| CWE | CWE-306 CWE-287 |
| Vendor | n/a |
| Product | churchcrm |
| Published | Oct 9, 2025 |
| Last Updated | Feb 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a churchcrm
Be the first to know when new high vulnerabilities affecting n/a churchcrm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
n/a / ChurchCRM
5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18.0
References
vuldb.com: https://vuldb.com/?id.327667 vuldb.com: https://vuldb.com/?ctiid.327667 vuldb.com: https://vuldb.com/?submit.669916 github.com: https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md github.com: https://github.com/ChurchCRM/CRM/pull/7376 github.com: https://github.com/ChurchCRM/CRM/commit/3a1cffd2aea63d884025949cfbcfd274d06216a4
Credits
๐ uartu0 (VulDB User)