CVE-2025-11529 identifies a security vulnerability in ChurchCRM, an open-source church management software, affecting all versions up to 5.18.0. The flaw resides in the AuthMiddleware.php file within the API endpoint component, where authentication checks are missing or improperly enforced. This allows remote attackers to bypass authentication controls entirely, gaining unauthorized access to API functions. Since the vulnerability requires no privileges or user interaction and is exploitable remotely, it presents a significant risk of unauthorized data access or manipulation. The vulnerability was publicly disclosed on October 9, 2025, with a patch available identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4. The CVSS v4.0 base score of 6.9 reflects a medium severity, considering the network attack vector, low complexity, and no required authentication or user interaction. The impact includes potential confidentiality breaches, integrity violations, and availability disruptions due to unauthorized API access. Although no known exploits are currently active in the wild, the public availability of the exploit code increases the risk of imminent attacks. The vulnerability affects a broad range of ChurchCRM versions, necessitating urgent remediation for all impacted deployments.

For European organizations, especially churches, religious institutions, and community groups relying on ChurchCRM for managing member data, events, and communications, this vulnerability poses a significant risk. Unauthorized access to the API could lead to exposure of sensitive personal data, such as member contact information, donation records, and internal communications, violating GDPR and other data protection regulations. Integrity of data could be compromised by unauthorized modifications, potentially disrupting organizational operations and trust. Availability could also be affected if attackers manipulate or disable API functions. Given the ease of exploitation and the public availability of exploit code, attackers could rapidly target vulnerable European organizations. This could result in reputational damage, legal penalties, and operational disruptions. Organizations with limited IT security resources or those slow to apply patches are particularly vulnerable. The impact is amplified in countries with larger or more digitally integrated faith communities using ChurchCRM.

Organizations should immediately apply the official patch identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4 to all affected ChurchCRM instances. If patching is temporarily not possible, restrict network access to the ChurchCRM API endpoints using firewall rules or VPNs to limit exposure. Implement additional authentication layers such as web application firewalls (WAF) with custom rules to detect and block unauthorized API requests. Conduct thorough audits of API access logs to identify any suspicious or unauthorized activity. Review and tighten API permissions and roles within ChurchCRM to minimize potential damage from unauthorized access. Regularly update ChurchCRM and monitor vendor advisories for further security updates. Educate IT staff and administrators about the vulnerability and the importance of timely patching. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting ChurchCRM APIs. Finally, ensure data backups are current and tested to enable recovery in case of compromise.