Auth bypass in Churchcrm Crm

CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (4.1th percentile) — read the EPSS interpretation.

Affected products

Churchcrm Crm — versions < 7.2.0

Weakness classification (CWE)

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v (x_refsource_CONFIRM)
https://github.com/ChurchCRM/CRM/issues/8617 (x_refsource_MISC)
https://github.com/ChurchCRM/CRM/pull/8616 (x_refsource_MISC)
https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2 (x_refsource_MISC)