Unauthorized Data Exposure in ChurchCRM by Beagle Software
CVE-2026-40480

7.1HIGH

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40480?

In ChurchCRM, the open-source church management system, an authorization bypass vulnerability exists within the GET /api/person/{personId} endpoint prior to version 7.2.0. This vulnerability allows authenticated users with limited EditSelf privileges to access and retrieve sensitive personal information of other members—including names, addresses, phone numbers, and email addresses—without proper object-level authorization checks. This oversight in the API layer, which fails to verify the canEditPerson() restrictions enforced in the legacy interface, raises significant privacy concerns. The issue has been addressed in version 7.2.0, emphasizing the importance of keeping software updated to mitigate similar vulnerabilities.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/issues/8617
x_refsource_MISC
https://github.com/ChurchCRM/CRM/pull/8616
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.