CVE-2026-39330 Overview
CVE-2026-39330 is a SQL Injection vulnerability discovered in ChurchCRM, an open-source church management system. The vulnerability exists in the /PropertyAssign.php endpoint, where authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter. Successful exploitation allows attackers to extract and modify information from the database, potentially compromising sensitive church member data and system integrity.
Critical Impact
Authenticated attackers can extract, modify, or delete sensitive data from the ChurchCRM database through SQL injection, potentially exposing personal information of church members and compromising system integrity.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM installations with /PropertyAssign.php endpoint accessible
Discovery Timeline
- 2026-04-07 - CVE-2026-39330 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39330
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) affects the /PropertyAssign.php endpoint in ChurchCRM. The vulnerability requires authentication with specific roles, making it an authenticated attack vector. Users must possess both the ManageGroups role and have isEditRecordsEnabled permissions to exploit this flaw.
The attack is network-accessible and requires no user interaction, making it exploitable by any authenticated user with the appropriate privileges. Once exploited, an attacker gains the ability to read confidential data from the database, modify existing records, and potentially impact database availability depending on the injected queries.
Root Cause
The root cause of this vulnerability is improper input validation and sanitization of the Value parameter in the /PropertyAssign.php endpoint. User-supplied input is directly incorporated into SQL queries without adequate parameterization or escaping, allowing attackers to manipulate query logic through specially crafted input.
Attack Vector
The attack is conducted over the network against authenticated sessions. An attacker with the required roles (ManageGroups and isEditRecordsEnabled) can craft malicious HTTP requests to the /PropertyAssign.php endpoint, injecting SQL code through the Value parameter. This enables extraction of sensitive data through UNION-based or time-based blind SQL injection techniques, as well as modification of database records.
The vulnerability allows arbitrary SQL statement execution, meaning attackers can potentially:
- Extract sensitive member information (names, addresses, financial contributions)
- Modify or delete database records
- Escalate privileges by manipulating user role tables
- Potentially gain further system access depending on database configuration
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39330
Indicators of Compromise
- Unusual or malformed requests to /PropertyAssign.php containing SQL syntax in the Value parameter
- Database query logs showing unexpected UNION, SELECT, or other SQL keywords in property assignment operations
- Unexpected changes to database records without corresponding legitimate user actions
- Error messages in application logs indicating SQL syntax errors or injection attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to /PropertyAssign.php
- Monitor access logs for repeated requests to the vulnerable endpoint with varying Value parameters
- Deploy database activity monitoring to detect anomalous query patterns or unauthorized data access
- Review authentication logs for accounts with ManageGroups and isEditRecordsEnabled roles accessing the vulnerable endpoint
Monitoring Recommendations
- Enable detailed logging for the /PropertyAssign.php endpoint and database queries
- Configure alerts for SQL error messages or injection signatures in application logs
- Monitor for bulk data extraction patterns that may indicate database exfiltration
- Audit user accounts with ManageGroups and isEditRecordsEnabled permissions for unauthorized access
How to Mitigate CVE-2026-39330
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review access logs for any suspicious activity targeting /PropertyAssign.php
- Audit user accounts with ManageGroups and isEditRecordsEnabled roles
- Consider temporarily restricting access to the vulnerable endpoint until patching is complete
Patch Information
The vulnerability has been fixed in ChurchCRM version 7.1.0. Organizations running versions prior to 7.1.0 should upgrade immediately. The patch addresses the SQL injection by implementing proper input validation and parameterized queries for the Value parameter in /PropertyAssign.php.
For patch details, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to the ChurchCRM application to trusted IP ranges only
- Temporarily disable or revoke ManageGroups and isEditRecordsEnabled roles from non-essential users until the patch is applied
- Implement a WAF rule to block requests containing SQL injection patterns targeting /PropertyAssign.php
- Place the ChurchCRM installation behind a reverse proxy with additional input validation
# Example: Apache .htaccess rule to restrict access to vulnerable endpoint
<Files "PropertyAssign.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
