CVE-2026-39318 Overview
CVE-2026-39318 is an SQL Injection vulnerability affecting ChurchCRM, an open-source church management system. Versions prior to 7.1.0 contain a security flaw in multiple endpoints that allows authenticated users to inject arbitrary SQL statements through the Field parameter, potentially enabling unauthorized database manipulation and data exfiltration.
Critical Impact
Authenticated attackers can inject arbitrary SQL statements to modify database tables, potentially compromising sensitive church member data, financial records, and administrative credentials.
Affected Products
- ChurchCRM versions prior to 7.1.0
- Endpoint /GroupPropsFormRowOps.php (requires ManageGroups privileges)
- Endpoints /PersonCustomFieldsRowOps.php and /FamilyCustomFieldsRowOps.php (requires administrative access)
Discovery Timeline
- April 7, 2026 - CVE-2026-39318 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39318
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in three separate endpoints within ChurchCRM's codebase. The vulnerability stems from improper sanitization of user-supplied input in the Field parameter before it is incorporated into SQL queries. When exploited, an authenticated attacker can inject malicious SQL statements that execute with the privileges of the database user configured for the ChurchCRM application.
The attack requires authentication, but the privilege requirements vary by endpoint. The /GroupPropsFormRowOps.php endpoint requires only ManageGroups privileges, which may be assigned to non-administrative users, while the /PersonCustomFieldsRowOps.php and /FamilyCustomFieldsRowOps.php endpoints require administrative access.
Root Cause
The root cause of this vulnerability is the failure to properly validate and sanitize the Field parameter in the affected PHP endpoints before using it in database queries. The application directly incorporates user-controlled input into SQL statements without using parameterized queries or proper escaping mechanisms, allowing attackers to break out of the intended query structure and inject their own SQL commands.
Attack Vector
The attack is conducted over the network by an authenticated user sending a crafted HTTP request to one of the vulnerable endpoints. The malicious payload is delivered through the Field parameter, which the application processes without adequate input validation.
An attacker with the required privileges would craft a request containing SQL injection syntax within the Field parameter. This could include UNION-based injection to extract data from other tables, time-based blind injection to enumerate database contents, or direct modification statements to alter or delete records.
The vulnerability allows attackers to read, modify, or delete data within the database, potentially including sensitive personal information about church members, donation records, and authentication credentials for other users.
Detection Methods for CVE-2026-39318
Indicators of Compromise
- Unusual HTTP requests to /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, or /FamilyCustomFieldsRowOps.php containing SQL syntax characters
- Web server logs showing Field parameter values with suspicious patterns such as single quotes, UNION statements, or comment sequences
- Database query logs containing unexpected or malformed SQL statements originating from ChurchCRM
- Evidence of unauthorized data access or modification in ChurchCRM's database tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to the affected endpoints
- Monitor application logs for requests containing common SQL injection payloads in the Field parameter
- Enable database query logging and alert on queries with suspicious patterns or syntax errors
- Deploy SentinelOne Singularity to monitor for post-exploitation behaviors following successful SQL injection
Monitoring Recommendations
- Configure log aggregation to capture and analyze all HTTP requests to the vulnerable ChurchCRM endpoints
- Set up alerts for database queries containing UNION, SELECT, INSERT, UPDATE, or DELETE statements from unexpected sources
- Monitor for unusual data access patterns or bulk data retrieval from ChurchCRM's database
- Review authentication logs for privilege escalation attempts or unauthorized administrative access
How to Mitigate CVE-2026-39318
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review web server and application logs for evidence of exploitation attempts
- Audit database access logs for suspicious queries targeting ChurchCRM tables
- Review user accounts with ManageGroups or administrative privileges and verify their legitimacy
- Consider implementing additional WAF rules to filter SQL injection attempts as a defense-in-depth measure
Patch Information
The vulnerability is fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed information about the security fix can be found in the GitHub Security Advisory GHSA-8r53-w4r6-w62c and GitHub Security Advisory GHSA-j3vj-59vv-h4rc.
Workarounds
- Restrict access to the vulnerable endpoints at the web server level using IP allowlisting or authentication controls
- Implement a Web Application Firewall with SQL injection detection rules in front of the ChurchCRM installation
- Disable or remove unused endpoints if the group properties and custom fields features are not required
- Apply the principle of least privilege by limiting the number of users with ManageGroups or administrative privileges
- Consider temporarily taking the ChurchCRM instance offline until the patch can be applied if sensitive data is at risk
# Example Apache configuration to restrict access to vulnerable endpoints
<Location "/GroupPropsFormRowOps.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
<Location "/PersonCustomFieldsRowOps.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
<Location "/FamilyCustomFieldsRowOps.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
