CVE-2026-39318 Overview
CVE-2026-39318 is a SQL injection vulnerability [CWE-89] in ChurchCRM, an open-source church management system. The flaw affects all versions prior to 7.1.0 and resides in three endpoints: /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. Authenticated users with ManageGroups privileges can exploit the first endpoint, while administrative users can exploit the other two. The attack involves injecting arbitrary SQL statements through the Field parameter to read or modify database tables. The vendor fixed the issue in ChurchCRM 7.1.0.
Critical Impact
Authenticated attackers can inject arbitrary SQL through the Field parameter, compromising the confidentiality, integrity, and availability of the ChurchCRM database.
Affected Products
- ChurchCRM versions prior to 7.1.0
- Endpoint /GroupPropsFormRowOps.php (requires ManageGroups privilege)
- Endpoints /PersonCustomFieldsRowOps.php and /FamilyCustomFieldsRowOps.php (require administrative privileges)
Discovery Timeline
- 2026-04-07 - CVE-2026-39318 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-39318
Vulnerability Analysis
The vulnerability stems from unsanitized user input being concatenated into SQL queries within three ChurchCRM endpoints. The Field request parameter is interpolated directly into the query string without parameterized statements or proper escaping. Attackers with valid sessions can manipulate this parameter to alter query syntax, extract data, or modify database tables. Because the queries execute under the application's database account, an attacker inherits full read and write access to the application schema.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The affected PHP scripts construct dynamic SQL using the Field parameter without binding it as a prepared statement value or validating it against an allowlist of legitimate column or field identifiers. Identifier-style parameters such as Field cannot be safely bound through standard prepared statements, and the application did not implement strict allowlist validation as an alternative.
Attack Vector
Exploitation requires network access to the ChurchCRM application and valid authenticated credentials. For /GroupPropsFormRowOps.php, the attacker must hold the ManageGroups permission. For /PersonCustomFieldsRowOps.php and /FamilyCustomFieldsRowOps.php, the attacker must hold an administrative role. Once authenticated, the attacker sends a crafted HTTP request that places SQL syntax inside the Field parameter. The injected payload executes against the backend database, enabling data exfiltration, modification of records, or escalation of impact through stored data tampering. No user interaction is required beyond the attacker's own session.
No verified public exploit code is available. See the ChurchCRM GitHub Security Advisory GHSA-j3vj-59vv-h4rc and GHSA-8r53-w4r6-w62c for technical details.
Detection Methods for CVE-2026-39318
Indicators of Compromise
- HTTP requests to /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, or /FamilyCustomFieldsRowOps.php containing SQL keywords such as UNION, SELECT, UPDATE, DROP, or comment sequences (--, /*) in the Field parameter.
- Unexpected schema modifications, new administrative accounts, or altered custom field definitions in the ChurchCRM database.
- Web server access logs showing repeated POST requests to the affected endpoints from a single authenticated session.
Detection Strategies
- Deploy web application firewall rules that inspect the Field parameter on the three affected endpoints and block SQL metacharacters.
- Enable database query logging and alert on dynamic identifiers in queries originating from ChurchCRM PHP scripts.
- Review audit logs for privileged actions performed by accounts that should not be modifying custom fields or group properties.
Monitoring Recommendations
- Correlate authenticated user sessions with anomalous database write volume to detect tampering.
- Monitor for privilege changes, especially additions to administrative or ManageGroups roles, which would expand the exploitable user population.
- Forward web server and database logs to a centralized analytics platform for long-term retention and retrospective hunting once patches are applied.
How to Mitigate CVE-2026-39318
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later, which contains the official fix.
- Audit existing administrative and ManageGroups accounts and revoke any unnecessary privileges.
- Rotate credentials and session tokens for all administrative users after upgrading.
- Review the database for unauthorized schema changes, modified custom fields, or rogue accounts.
Patch Information
The vendor released ChurchCRM 7.1.0 to remediate this vulnerability. Refer to the ChurchCRM GitHub Security Advisory GHSA-j3vj-59vv-h4rc for upgrade instructions and patch details.
Workarounds
- Restrict network access to the ChurchCRM application to trusted administrators until the upgrade is applied.
- Temporarily remove the ManageGroups permission from non-essential accounts to reduce the exploitable user base.
- Place a web application firewall in front of ChurchCRM with rules that block SQL injection patterns in the Field parameter on the three affected endpoints.
# Example WAF rule snippet to block SQL metacharacters in the Field parameter
# (ModSecurity-style pseudocode - adapt to your environment)
SecRule REQUEST_URI "@rx /(GroupPropsFormRowOps|PersonCustomFieldsRowOps|FamilyCustomFieldsRowOps)\.php" \
"chain,deny,status:403,id:1039318,msg:'CVE-2026-39318 SQLi attempt'"
SecRule ARGS:Field "@rx (?i)(union|select|insert|update|delete|drop|--|/\*|;)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
