CVE-2025-11529 is a security vulnerability identified in ChurchCRM, an open-source church management software, affecting all versions up to 5.18.0. The flaw resides in the AuthMiddleware component located in src/ChurchCRM/Slim/Middleware/AuthMiddleware.php, which is responsible for enforcing authentication on API endpoints. Due to improper implementation, the middleware fails to authenticate requests, allowing remote attackers to bypass authentication controls entirely. This missing authentication means that attackers can invoke API endpoints without credentials, potentially accessing or manipulating sensitive church data such as member information, event details, or financial records. The vulnerability is exploitable remotely over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and moderate impact on confidentiality, integrity, and availability. The vulnerability does not affect system components beyond the API scope but can lead to unauthorized data exposure or modification. A patch identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4 has been released to correct the authentication logic. Although no active exploitation in the wild has been reported, the public release of exploit code necessitates urgent remediation. Organizations using ChurchCRM should prioritize patching and consider additional access controls to mitigate risk.

The vulnerability allows unauthenticated remote attackers to bypass authentication on ChurchCRM API endpoints, potentially exposing sensitive personal and organizational data managed by churches, including member records, event schedules, and financial information. Unauthorized access could lead to data leakage, unauthorized data modification, or disruption of church operations. While the scope is limited to the API component, the impact on confidentiality and integrity is significant for affected organizations. Availability impact is limited but possible if attackers manipulate API functions to disrupt services. Given the widespread use of ChurchCRM in religious organizations globally, especially in countries with large Christian populations or where digital church management is prevalent, the risk of data breaches and operational disruption is notable. The public availability of exploit code increases the likelihood of opportunistic attacks, especially against poorly secured deployments. Organizations failing to patch may face reputational damage, legal consequences related to data protection laws, and operational challenges.

1. Apply the official patch identified by commit 3a1cffd2aea63d884025949cfbcfd274d06216a4 immediately to all affected ChurchCRM instances to restore proper authentication enforcement. 2. Restrict API endpoint access using network-level controls such as IP whitelisting or VPNs to limit exposure to trusted users and systems. 3. Implement Web Application Firewalls (WAFs) with rules to detect and block unauthorized API requests targeting ChurchCRM endpoints. 4. Conduct regular audits of API access logs to identify suspicious or anomalous activity indicative of exploitation attempts. 5. Enforce strong authentication and authorization policies for all ChurchCRM users and services, including multi-factor authentication where possible. 6. Educate administrators and users on the importance of timely updates and monitoring for security advisories related to ChurchCRM. 7. Consider deploying ChurchCRM instances in segmented network zones to reduce the blast radius of potential compromises. 8. Backup ChurchCRM data regularly and verify backup integrity to enable recovery in case of data tampering or loss.