CVE-2026-35184 Overview
EcclesiaCRM, an open-source CRM software designed for church management, contains a critical SQL injection vulnerability in versions prior to 8.0.0. The vulnerability exists in the v2/templates/query/queryview.php file, where the custom and value parameters are not properly sanitized before being used in database queries. This allows authenticated attackers to inject malicious SQL commands that can compromise the underlying database.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to extract sensitive church member data, modify database records, or potentially gain further system access through database-level attacks.
Affected Products
- EcclesiaCRM versions prior to 8.0.0
- Installations using the vulnerable v2/templates/query/queryview.php endpoint
Discovery Timeline
- April 6, 2026 - CVE-2026-35184 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35184
Vulnerability Analysis
This SQL injection vulnerability (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) occurs when user-supplied input through the custom and value parameters is incorporated directly into SQL queries without adequate sanitization or parameterization. The vulnerable endpoint v2/templates/query/queryview.php accepts these parameters and constructs dynamic SQL queries, creating an injection point that authenticated users can exploit.
The attack requires network access and low-privilege authentication (PR:L), meaning any user with valid credentials to the EcclesiaCRM application could potentially exploit this vulnerability. Successful exploitation enables attackers to read, modify, or delete database contents, potentially affecting confidentiality, integrity, and availability of the church management data.
Root Cause
The root cause is insufficient input validation and the use of dynamic SQL query construction. The custom and value parameters are directly concatenated or interpolated into SQL statements without proper escaping, prepared statements, or parameterized queries. This architectural flaw allows SQL metacharacters in user input to modify the intended query logic.
Attack Vector
The attack is network-based and requires authenticated access to the EcclesiaCRM application. An attacker with valid credentials can craft malicious requests to the queryview.php endpoint, injecting SQL payloads through the vulnerable parameters. The exploitation mechanism involves:
- Authenticating to the EcclesiaCRM application with any valid user account
- Crafting a request to v2/templates/query/queryview.php with malicious SQL syntax in the custom or value parameters
- The injected SQL executes with the privileges of the database user configured for the application
For detailed technical information about the exploitation mechanism, refer to the GitHub Gist documentation and the GitHub Security Advisory.
Detection Methods for CVE-2026-35184
Indicators of Compromise
- Unusual or malformed requests to v2/templates/query/queryview.php containing SQL keywords (UNION, SELECT, INSERT, UPDATE, DELETE, DROP)
- Database error messages in application logs indicating SQL syntax errors from user input
- Unexpected database queries or data access patterns in database audit logs
- Evidence of data exfiltration or unauthorized modifications to church member records
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in requests to the queryview.php endpoint
- Monitor application logs for requests containing SQL metacharacters in the custom and value parameters
- Enable database query logging and audit for anomalous query patterns
- Deploy intrusion detection systems with signatures for SQL injection attacks
Monitoring Recommendations
- Configure alerting for high-volume or unusual requests to the vulnerable endpoint
- Implement database activity monitoring to detect unauthorized data access or exfiltration
- Monitor for authentication anomalies that may indicate compromised accounts being used for exploitation
- Review web server access logs for suspicious parameter values in query strings
How to Mitigate CVE-2026-35184
Immediate Actions Required
- Upgrade EcclesiaCRM to version 8.0.0 or later immediately
- If immediate upgrade is not possible, restrict access to the v2/templates/query/queryview.php endpoint
- Review database logs for evidence of exploitation
- Audit user accounts for unauthorized access or suspicious activity
Patch Information
The vulnerability has been fixed in EcclesiaCRM version 8.0.0. The patch implements proper input sanitization and parameterized queries to prevent SQL injection through the affected parameters. Technical details of the fix can be found in the GitHub commit and the associated pull request.
Workarounds
- Deploy a web application firewall with SQL injection detection rules to filter malicious requests
- Implement network-level access controls to limit who can reach the EcclesiaCRM application
- Apply the principle of least privilege to the database user account used by EcclesiaCRM
- Consider temporarily disabling custom query functionality if not essential for operations
# Example: Restricting access to vulnerable endpoint via .htaccess (temporary workaround)
# Add to your Apache configuration or .htaccess file
<Files "queryview.php">
Require ip 192.168.1.0/24
# Or deny all external access until patched
# Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
