CVE-2026-39325 Overview
ChurchCRM is an open-source church management system. Prior to version 7.1.0, an SQL injection vulnerability was identified in the /SettingsUser.php endpoint in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index, allowing extraction and modification of sensitive information from the database.
Critical Impact
Authenticated administrators can exploit this SQL injection vulnerability to extract, modify, or delete sensitive data from the ChurchCRM database, potentially compromising member information, financial records, and other critical church management data.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM 7.0.5 (confirmed vulnerable)
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39325 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39325
Vulnerability Analysis
This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The flaw exists in the /SettingsUser.php endpoint where user-supplied input from the type array parameter is not properly sanitized before being incorporated into SQL queries.
The attack requires authenticated administrative access to the ChurchCRM application, meaning the attacker must first obtain valid administrative credentials. Once authenticated, the attacker can manipulate the index of the type array parameter to inject malicious SQL statements that are executed by the database server.
Root Cause
The root cause stems from insufficient input validation and parameterization in the /SettingsUser.php endpoint. The application fails to properly sanitize or parameterize user input from the type array parameter before constructing SQL queries. This allows specially crafted input to break out of the intended SQL query structure and execute arbitrary database commands.
Attack Vector
The attack is network-accessible and requires authenticated administrative privileges. An attacker with valid administrative credentials can send specially crafted HTTP requests to the /SettingsUser.php endpoint, manipulating the type array parameter index to inject SQL statements. This can be used to:
- Extract sensitive data from the database (data exfiltration)
- Modify existing records (data tampering)
- Delete database contents (data destruction)
- Potentially escalate privileges within the application
The vulnerability requires no user interaction beyond the attacker's own actions. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39325
Indicators of Compromise
- Unusual or malformed requests to the /SettingsUser.php endpoint containing SQL syntax characters
- HTTP requests with anomalous type array parameter values containing SQL keywords such as UNION, SELECT, INSERT, DELETE, or UPDATE
- Unexpected database queries or errors in application logs originating from the SettingsUser functionality
- Evidence of data exfiltration or unauthorized database modifications
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the /SettingsUser.php endpoint
- Configure database audit logging to capture and alert on unusual query patterns or unauthorized data access
- Monitor application access logs for suspicious administrative activity, particularly requests to settings-related endpoints
- Deploy intrusion detection systems (IDS) with SQL injection signature detection enabled
Monitoring Recommendations
- Enable detailed logging for all administrative actions within ChurchCRM
- Set up real-time alerts for SQL error messages or exceptions in application logs
- Monitor database query logs for queries containing user-controlled input from the type parameter
- Implement anomaly detection for unusual data access patterns or query volumes
How to Mitigate CVE-2026-39325
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review administrative account access and ensure only trusted personnel have admin privileges
- Audit database access logs for any signs of exploitation prior to patching
- Consider temporarily restricting access to the /SettingsUser.php endpoint until the upgrade is complete
Patch Information
The vulnerability has been remediated in ChurchCRM version 7.1.0. Organizations running vulnerable versions should upgrade to 7.1.0 or later as soon as possible. The official security advisory and patch details are available at the ChurchCRM GitHub Security Advisory.
Workarounds
- Implement Web Application Firewall (WAF) rules to filter SQL injection attempts targeting the vulnerable endpoint
- Restrict network access to ChurchCRM administrative interfaces to trusted IP addresses only
- Enforce strong authentication and audit administrative account usage
- Consider placing the application behind a VPN or internal network segment to limit exposure
# Example: Restrict access to SettingsUser.php via Apache configuration
<Location "/SettingsUser.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
