CVE-2026-39319 Overview
CVE-2026-39319 is a second order SQL injection vulnerability discovered in ChurchCRM, an open-source church management system. The vulnerability exists in the /FundRaiserEditor.php endpoint and allows authenticated users, regardless of their privilege level, to inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter. Successful exploitation enables attackers to extract and modify sensitive information directly from the database.
Critical Impact
Authenticated attackers can execute arbitrary SQL commands, potentially leading to complete database compromise including extraction of sensitive member data, financial records, and administrative credentials.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM installations with the /FundRaiserEditor.php endpoint exposed
- Any ChurchCRM deployment where user authentication is possible
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39319 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39319
Vulnerability Analysis
This vulnerability is classified as a second order SQL injection (CWE-89), which differs from traditional SQL injection in that the malicious payload is not immediately executed. Instead, the attacker's input is first stored by the application (in this case, within the PHP session as the iCurrentFundraiser parameter) and later retrieved and used in a SQL query without proper sanitization.
The attack requires only basic authentication to the ChurchCRM system—no elevated privileges are necessary. This low barrier to exploitation significantly increases the risk, as any registered user of the church management system could potentially compromise the entire database.
Root Cause
The root cause of this vulnerability is insufficient input validation and improper handling of user-controlled data stored in PHP session variables. The iCurrentFundraiser session parameter is trusted by the application when constructing SQL queries in the /FundRaiserEditor.php endpoint, allowing attackers to inject malicious SQL syntax that gets executed against the backend database.
Attack Vector
The attack is network-accessible and follows a multi-step process typical of second order SQL injection:
- An attacker authenticates to ChurchCRM with any valid user credentials
- The attacker manipulates the iCurrentFundraiser PHP session parameter to contain malicious SQL payload
- When the /FundRaiserEditor.php endpoint processes a request, it retrieves the tainted session value
- The unsanitized value is incorporated into a SQL query and executed
- The attacker can extract sensitive data through error-based, blind, or UNION-based SQL injection techniques
The vulnerability allows both data extraction and modification, meaning attackers could not only steal sensitive church member information but also alter financial records, membership data, or inject administrative accounts.
Detection Methods for CVE-2026-39319
Indicators of Compromise
- Unusual SQL error messages appearing in application logs related to the FundRaiserEditor.php endpoint
- Anomalous database queries containing SQL injection patterns such as UNION SELECT, OR 1=1, or comment sequences
- Unexpected modifications to database records, particularly in fundraiser-related tables
- Session manipulation attempts showing malformed or suspicious iCurrentFundraiser values
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in HTTP requests and session data
- Monitor application logs for PHP errors or database exceptions originating from FundRaiserEditor.php
- Deploy database activity monitoring to identify unusual query patterns or unauthorized data access
- Review authentication logs for accounts making repeated requests to the vulnerable endpoint
Monitoring Recommendations
- Enable detailed logging for the /FundRaiserEditor.php endpoint and related database queries
- Configure alerts for SQL syntax errors and database exception conditions
- Implement user behavior analytics to detect anomalous access patterns from authenticated users
- Regularly audit database access logs for signs of data exfiltration or unauthorized modifications
How to Mitigate CVE-2026-39319
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately to address this vulnerability
- Review database logs for signs of exploitation prior to patching
- Audit user accounts for unauthorized changes or suspicious activity
- Consider temporarily restricting access to the /FundRaiserEditor.php endpoint until patching is complete
Patch Information
ChurchCRM has released version 7.1.0 which addresses this SQL injection vulnerability. Organizations running affected versions should upgrade immediately. For detailed information about the security fix, refer to the ChurchCRM Security Advisory on GitHub.
Workarounds
- Implement input validation at the application layer for the iCurrentFundraiser session parameter
- Deploy a web application firewall (WAF) with SQL injection detection rules
- Restrict database user privileges used by ChurchCRM to minimum required permissions
- Consider network segmentation to limit access to the ChurchCRM application
# Example: Restrict access to the vulnerable endpoint via .htaccess until patching
# Add to your Apache configuration or .htaccess file
<Files "FundRaiserEditor.php">
Order Deny,Allow
Deny from all
# Allow only trusted admin IPs
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
