Skip to main content

ChurchCRM CVE-2026-58410

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-13 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Authenticated low-privilege user (PR:L) sends a network request (AV:N/AC:L/UI:N) to read other families' PII (C:H); integrity is limited to gated note creation (I:L) and availability is unaffected (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 21:02 vuln.today
CVE Published
Jul 13, 2026 - 20:26 cve.org
HIGH 7.1

DescriptionCVE.org

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another family’s familyId and access records outside their own family scope. The backend trusts the attacker-controlled familyId and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family’s record. This breaks the intended EditSelf scope and allows access to unrelated congregation records. This issue has been fixed in version 7.4.0.

AnalysisAI

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged EditSelf user
Delivery
Enumerate target familyId values
Exploit
Submit request with foreign familyId
Execution
Backend loads family without ownership check
Impact
Read PII or create notes on other families

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated ChurchCRM account holding EditSelf access (a non-admin role), after which the attacker substitutes another family's familyId into a family-scoped endpoint; write/note-creation abuse additionally requires the account to hold the Notes permission, while read-only access to other families' records needs only EditSelf. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:L/A:N, score 7.1) is internally consistent with the description: network-reachable, low complexity, requires a low-privileged authenticated account, no user interaction, high confidentiality impact (full read of other families' PII) and low integrity impact (limited note creation/modification, gated on the additional Notes permission). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A church volunteer is given a standard low-privilege ChurchCRM account with EditSelf access to maintain their own family's contact details. By editing the familyId parameter in a family-scoped request to another family's sequential ID, they retrieve that family's private records, and - if their account also has the Notes permission - attach notes to a family they have no relationship with. …
Remediation Vendor-released patch: 7.4.0 - upgrade all ChurchCRM instances to 7.4.0 or later, which adds the missing ownership check on family-scoped endpoints, per advisory https://github.com/ChurchCRM/CRM/security/advisories/GHSA-jjcj-h3cm-p7x7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit and restrict EditSelf and Notes permissions to administrative roles only, and review access logs for unauthorized family record access across congregations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Crm

View all
CVE-2017-5965 MEDIUM POC
6.7 May 23

The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP c

CVE-2019-15950 MEDIUM POC
6.1 Sep 16

The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulner

CVE-2026-42288 CRITICAL
10.0 May 12

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-

CVE-2026-58409 CRITICAL
9.1 Jul 13

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by i

CVE-2017-5966 MEDIUM POC
4.9 May 23

Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path trav

CVE-2026-39328 HIGH
8.9 Apr 07

ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrat

CVE-2026-35566 HIGH
8.8 Apr 07

SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary S

CVE-2026-35576 HIGH
8.7 Apr 07

Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScri

CVE-2026-39331 HIGH
8.1 Apr 07

Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrar

CVE-2026-35575 HIGH
8.0 Apr 07

Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover throu

CVE-2026-35572 HIGH
7.0 Apr 07

Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound

CVE-2026-58411 HIGH
7.0 Jul 13

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized req

Share

CVE-2026-58410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy