CVE-2026-40480

UNKNOWN 0.0

ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0.

CWE	CWE-639 CWE-862
Vendor	churchcrm
Product	crm
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new unknown vulnerabilities affecting churchcrm crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ChurchCRM / CRM

< 7.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v github.com: https://github.com/ChurchCRM/CRM/issues/8617 github.com: https://github.com/ChurchCRM/CRM/pull/8616 github.com: https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2