CVE-2026-40480: CWE-639: Authorization Bypass Through User-Controlled Key in ChurchCRM CRM
ChurchCRM versions prior to 7. 2. 0 contain an authorization bypass vulnerability in the GET /api/person/{personId} API endpoint. This endpoint does not enforce object-level authorization checks, allowing authenticated users with EditSelf privileges to access other members' personal records. Sensitive personally identifiable information (PII) such as names, addresses, phone numbers, and email addresses may be exposed. The issue has been fixed in version 7. 2. 0.
AI Analysis
Technical Summary
CVE-2026-40480 is an authorization bypass vulnerability in ChurchCRM's API layer affecting versions before 7.2.0. The GET /api/person/{personId} endpoint returns person records without verifying if the requesting user has permission to view those records. While the legacy PersonView.php page enforces edit permissions, the API does not, enabling users with limited privileges (EditSelf) to enumerate and read other users' data. This exposes sensitive PII. The vulnerability is tracked under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization). The vulnerability has a CVSS 4.0 score of 7.1 (high severity) and was fixed in ChurchCRM version 7.2.0.
Potential Impact
Exploitation allows authenticated users with EditSelf privileges to access and enumerate other members' personal information, including sensitive PII such as names, addresses, phone numbers, and email addresses. This unauthorized data disclosure can lead to privacy violations and potential misuse of personal data.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this authorization bypass vulnerability has been fixed. No other mitigation or temporary workaround is indicated in the available data.
CVE-2026-40480: CWE-639: Authorization Bypass Through User-Controlled Key in ChurchCRM CRM
Description
ChurchCRM versions prior to 7. 2. 0 contain an authorization bypass vulnerability in the GET /api/person/{personId} API endpoint. This endpoint does not enforce object-level authorization checks, allowing authenticated users with EditSelf privileges to access other members' personal records. Sensitive personally identifiable information (PII) such as names, addresses, phone numbers, and email addresses may be exposed. The issue has been fixed in version 7. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40480 is an authorization bypass vulnerability in ChurchCRM's API layer affecting versions before 7.2.0. The GET /api/person/{personId} endpoint returns person records without verifying if the requesting user has permission to view those records. While the legacy PersonView.php page enforces edit permissions, the API does not, enabling users with limited privileges (EditSelf) to enumerate and read other users' data. This exposes sensitive PII. The vulnerability is tracked under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization). The vulnerability has a CVSS 4.0 score of 7.1 (high severity) and was fixed in ChurchCRM version 7.2.0.
Potential Impact
Exploitation allows authenticated users with EditSelf privileges to access and enumerate other members' personal information, including sensitive PII such as names, addresses, phone numbers, and email addresses. This unauthorized data disclosure can lead to privacy violations and potential misuse of personal data.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this authorization bypass vulnerability has been fixed. No other mitigation or temporary workaround is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.114Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2c0dabdfbbecc599fc054
Added to database: 4/17/2026, 11:23:06 PM
Last enriched: 4/17/2026, 11:38:14 PM
Last updated: 4/18/2026, 6:52:55 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.