ChurchCRM CVE-2026-58408
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PR:L confirmed because any single non-admin permission flag suffices; C:H for full bulk PII export; I:N and A:N as the endpoint only reads and streams data.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information (PII) of every Person/Family record in the database, without performing any feature-level or object-level authorization check beyond the coarse "has any admin permission" gate inherited from the legacy page bootstrap. In other words, any single non-admin permission flag is enough to reach the CSV bulk-export endpoint, even though such users should not have data export rights. The export script is missing a dedicated isAdmin() (or a new bExportData) authorization check of its own. This issue has been fixed in version 7.4.0.
AnalysisAI
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid ChurchCRM account assigned at least one non-admin permission flag - no administrator access is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the risk profile: the attack is network-reachable, requires no complexity, and needs only a low-privilege account, with high confidentiality impact but no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A volunteer or low-level staff member with a ChurchCRM account holding any single permission flag authenticates normally, then sends a crafted POST request directly to /CSVCreateFile.php - bypassing the /admin/export UI that would otherwise restrict access. The server responds by streaming a full CSV of the congregation database including names, addresses, and contact details for every person and family record. … |
| Remediation | Upgrade ChurchCRM to version 7.4.0 or later, which introduces a dedicated authorization check on the /CSVCreateFile.php endpoint; vendor patch details are available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-4vj2-gm78-3q63. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today