CVE-2025-11529 is a vulnerability identified in the ChurchCRM software, specifically affecting versions from 5.0 through 5.18.0. The flaw resides in the AuthMiddleware component located in src/ChurchCRM/Slim/Middleware/AuthMiddleware.php, which is responsible for enforcing authentication on API endpoints. Due to a missing authentication check, remote attackers can bypass authentication controls and directly access API endpoints without any credentials or user interaction. This can lead to unauthorized access to sensitive information managed by ChurchCRM, such as personal data of congregation members, event details, and administrative functions. The vulnerability is remotely exploitable over the network without requiring any privileges, making it highly accessible to attackers. The CVSS 4.0 base score is 6.9, reflecting a medium severity level due to the lack of authentication combined with limited impact on confidentiality, integrity, and availability (each rated low). Although no known exploits are currently observed in the wild, the exploit code has been publicly released, increasing the risk of active exploitation. A patch identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4 has been issued to fix the missing authentication check. Organizations running affected versions should prioritize applying this patch to prevent unauthorized access and potential data breaches.

For European organizations using ChurchCRM, this vulnerability poses a significant risk of unauthorized access to sensitive personal and organizational data. Faith-based organizations, charities, and community groups that rely on ChurchCRM for managing member information, events, and communications could have confidential data exposed or manipulated. This could lead to privacy violations under GDPR, reputational damage, and potential legal consequences. The unauthorized access could also enable attackers to disrupt organizational operations by altering or deleting data. Since the vulnerability allows remote exploitation without authentication or user interaction, the attack surface is broad, increasing the likelihood of compromise. The medium severity rating reflects that while the impact on confidentiality, integrity, and availability is limited, the ease of exploitation and the sensitivity of the data involved elevate the risk. European organizations must consider the regulatory implications of data exposure and the operational impact of unauthorized access.

1. Immediately apply the official patch identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4 to all affected ChurchCRM instances to restore proper authentication enforcement. 2. Conduct a thorough audit of API access logs to detect any unauthorized or suspicious activity prior to patching. 3. Implement network-level access controls such as IP whitelisting or VPN requirements to restrict access to ChurchCRM API endpoints. 4. Enforce strong authentication and authorization policies on all administrative interfaces and APIs. 5. Regularly update ChurchCRM and monitor vendor advisories for future security updates. 6. Educate staff on the importance of timely patching and monitoring for unusual system behavior. 7. Consider deploying Web Application Firewalls (WAF) with rules to detect and block unauthenticated API requests. 8. Review data retention and backup policies to ensure rapid recovery in case of data tampering or loss. These steps go beyond generic advice by focusing on immediate patching, proactive monitoring, and layered access controls tailored to the ChurchCRM environment.