CVE-2026-39329 Overview
CVE-2026-39329 is a SQL injection vulnerability discovered in ChurchCRM, an open-source church management system. Prior to version 7.1.0, an authenticated SQL injection vulnerability was identified in /EventNames.php. Authenticated users with AddEvent privileges can inject malicious SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly into the SQL query.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to read, modify, or delete sensitive church management data, potentially compromising member personal information, financial records, and administrative credentials.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM installations with AddEvent privileges enabled for users
- Self-hosted ChurchCRM deployments exposed to authenticated users
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39329 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39329
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) affects the event type creation functionality in ChurchCRM. The flaw exists because user-supplied input in the newEvtTypeCntLst parameter is not properly sanitized before being incorporated into SQL statements. When an authenticated user with AddEvent privileges creates a new event type, the application constructs a database query using an ON DUPLICATE KEY UPDATE clause that directly interpolates the unsanitized user input.
The vulnerability allows attackers to break out of the intended query structure and execute arbitrary SQL commands against the underlying database. This could enable data exfiltration, modification of existing records, or escalation of privileges within the application by manipulating user roles stored in the database.
Root Cause
The root cause of this vulnerability is improper input validation and the use of unsanitized user input in SQL query construction. The /EventNames.php endpoint fails to implement parameterized queries or prepared statements when handling the newEvtTypeCntLst parameter. Instead, the application directly concatenates user input into the SQL statement, creating a classic SQL injection vector.
Attack Vector
The attack is network-accessible and requires low complexity to exploit. An attacker must first authenticate to the ChurchCRM application with an account that has AddEvent privileges. Once authenticated, the attacker can craft a malicious payload in the newEvtTypeCntLst parameter when creating a new event type. The malicious input is processed by the vulnerable code path and executed against the database during the ON DUPLICATE KEY UPDATE operation.
The attack does not require user interaction beyond the attacker's own actions, and a successful exploit could result in complete compromise of database confidentiality, integrity, and availability.
Detection Methods for CVE-2026-39329
Indicators of Compromise
- Unusual SQL error messages in application logs related to /EventNames.php
- Database audit logs showing unexpected SELECT, UPDATE, or DELETE operations
- Anomalous data modifications in event-related database tables
- Authentication logs showing access patterns from users with AddEvent privileges followed by suspicious database activity
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in HTTP POST parameters
- Monitor application logs for SQL syntax errors originating from the event management module
- Deploy database activity monitoring to detect anomalous queries against ChurchCRM tables
- Configure intrusion detection systems to alert on common SQL injection payloads in web traffic
Monitoring Recommendations
- Enable detailed logging for the /EventNames.php endpoint and related database operations
- Set up alerts for multiple failed SQL queries in short time periods
- Monitor for unauthorized data exports or bulk database reads
- Review access logs for accounts with AddEvent privileges for suspicious activity patterns
How to Mitigate CVE-2026-39329
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review database logs for evidence of exploitation prior to patching
- Audit user accounts with AddEvent privileges and revoke unnecessary access
- Implement network-level restrictions to limit access to the ChurchCRM application
Patch Information
The vulnerability is fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the SQL injection vulnerability. The patch implements proper input sanitization for the newEvtTypeCntLst parameter, preventing malicious SQL injection attacks. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Restrict AddEvent privileges to only essential administrative accounts until patching is complete
- Implement a web application firewall with SQL injection detection rules in front of ChurchCRM
- Disable or restrict network access to the /EventNames.php endpoint temporarily
- Enable database query logging and monitor for suspicious SQL patterns
# Example: Restrict access to EventNames.php via Apache configuration
<Location "/EventNames.php">
Require ip 192.168.1.0/24
# Limit access to trusted internal networks only
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
