ChurchCRM CVE-2026-58410
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Authenticated low-privilege user (PR:L) sends a network request (AV:N/AC:L/UI:N) to read other families' PII (C:H); integrity is limited to gated note creation (I:L) and availability is unaffected (A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another family’s familyId and access records outside their own family scope. The backend trusts the attacker-controlled familyId and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family’s record. This breaks the intended EditSelf scope and allows access to unrelated congregation records. This issue has been fixed in version 7.4.0.
AnalysisAI
Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated ChurchCRM account holding EditSelf access (a non-admin role), after which the attacker substitutes another family's familyId into a family-scoped endpoint; write/note-creation abuse additionally requires the account to hold the Notes permission, while read-only access to other families' records needs only EditSelf. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:L/A:N, score 7.1) is internally consistent with the description: network-reachable, low complexity, requires a low-privileged authenticated account, no user interaction, high confidentiality impact (full read of other families' PII) and low integrity impact (limited note creation/modification, gated on the additional Notes permission). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A church volunteer is given a standard low-privilege ChurchCRM account with EditSelf access to maintain their own family's contact details. By editing the familyId parameter in a family-scoped request to another family's sequential ID, they retrieve that family's private records, and - if their account also has the Notes permission - attach notes to a family they have no relationship with. … |
| Remediation | Vendor-released patch: 7.4.0 - upgrade all ChurchCRM instances to 7.4.0 or later, which adds the missing ownership check on family-scoped endpoints, per advisory https://github.com/ChurchCRM/CRM/security/advisories/GHSA-jjcj-h3cm-p7x7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit and restrict EditSelf and Notes permissions to administrative roles only, and review access logs for unauthorized family record access across congregations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP c
The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulner
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by i
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path trav
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrat
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary S
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScri
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrar
Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover throu
Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized req
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today