{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40480", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-17T23:07:30.126Z", "dateUpdated": "2026-04-20T16:16:00.433Z"}, "containers": {"cna": {"title": "ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"}, {"name": "https://github.com/ChurchCRM/CRM/issues/8617", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/issues/8617"}, {"name": "https://github.com/ChurchCRM/CRM/pull/8616", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/pull/8616"}, {"name": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:07:30.126Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0."}], "source": {"advisory": "GHSA-5w59-32c8-933v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:15:56.128986Z", "id": "CVE-2026-40480", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:16:00.433Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40480", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:15:56.128986Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:15:40.633Z"}}], "cna": {"title": "ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`", "source": {"advisory": "GHSA-5w59-32c8-933v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.2.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ChurchCRM/CRM/issues/8617", "name": "https://github.com/ChurchCRM/CRM/issues/8617", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/8616", "name": "https://github.com/ChurchCRM/CRM/pull/8616", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2", "name": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:07:30.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40480", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:16:00.433Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T23:07:30.126Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0."}], "id": "CVE-2026-40480", "lastModified": "2026-04-20T18:59:46.333", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:38.960", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/issues/8617"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/pull/8616"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.2.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-18T08:49:39.398924+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version\u00a07.2.0 or later where the GET\u00a0/api/person/{personId} endpoint includes proper object\u2011level authorization checks.", "If an upgrade is not immediately possible, re\u2011configure the API or the permission model to deny GET\u00a0/api/person/{personId} requests for users who only possess EditSelf privileges, ensuring that only users with explicit viewing rights can access person records.", "Audit the database for any exposed PII that may have been accessed by unauthorized users and apply remediation actions such as data sanitization, user notification and, if necessary, remediation of compromised accounts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Personal Identifiable Information"}, "threat_synthesis": {"affected_systems": "ChurchCRM, an open\u2011source church management system, is affected in all releases older than version\u00a07.2.0. The vulnerability exists across the CRM product family, as specified by the CNA vendor product list ChurchCRM:CRM. No specific patch level is listed in the CVE description for newer releases beyond 7.2.0, which includes the mitigation for this issue.", "description_and_impact": "A missing object\u2011level authorization check on the GET\u00a0/api/person/{personId} endpoint allows any authenticated user with basic EditSelf privileges to read any member\u2019s record. The data returned contains names, addresses, phone numbers and e\u2011mail addresses, so the flaw results in a confidentiality breach of sensitive personal information. The underlying weakness is an IDOR (CWE\u2011639) coupled with improper authorization controls (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a medium\u2011to\u2011high severity flaw. Because the flaw requires only authentication and a standard EditSelf role, it is trivially exploitable by any logged\u2011in user, making the risk high in environments lacking additional controls. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the lack of defensive checks in the API layer makes the attack path straightforward: guess sequential person IDs and retrieve PII for each record without further authorization verification."}}}}, "created": "2026-04-18T09:00:05.893125+00:00", "updated": "2026-04-20T14:59:20.056914+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}