EUVD-2026-19826CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode lack role-based access control, allowing users to deactivate/reactivate arbitrary families, spam verification emails, and mark families as verified and trigger geocoding. This vulnerability is fixed in 7.1.0.
Analysis
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrary family records without proper authorization checks. Attackers with any valid API credentials can modify family verification status, trigger spam emails, activate/deactivate accounts, and force geocoding operations on any family record by manipulating the familyId parameter in API requests. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
24 hours: Inventory all ChurchCRM instances and document current versions; disable or restrict API access to non-administrative users pending remediation. 7 days: Contact ChurchCRM vendor for 7.1.0 release status and timeline; if available, plan upgrade to 7.1.0 or later; if unavailable, implement network-level API access controls limiting API consumers to trusted applications only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today