CVE-2026-39331 Overview
CVE-2026-39331 is an Insecure Direct Object Reference (IDOR) vulnerability in ChurchCRM, an open-source church management system. Prior to version 7.1.0, authenticated API users can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. This broken access control vulnerability affects multiple API endpoints and allows unauthorized manipulation of family records.
Critical Impact
Authenticated users can bypass authorization controls to deactivate/reactivate arbitrary families, spam verification emails, mark families as verified, and trigger geocoding operations on any family record in the system.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39331 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39331
Vulnerability Analysis
This vulnerability stems from missing role-based access control (RBAC) on several family-related API endpoints. The ChurchCRM application fails to verify that the authenticated user has the necessary EditRecords privilege before processing requests that modify family record states. An attacker with any valid authentication can enumerate family IDs and perform unauthorized operations on arbitrary family records throughout the system.
The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), which describes scenarios where an application uses user-supplied input as a direct reference to an internal implementation object without proper authorization checks. In this case, the {familyId} parameter serves as the user-controlled key that references family records.
Root Cause
The root cause is the absence of authorization validation on family-related API endpoints. The following endpoints lack proper role-based access control:
- /family/{familyId}/verify
- /family/{familyId}/verify/url
- /family/{familyId}/verify/now
- /family/{familyId}/activate/{status}
- /family/{familyId}/geocode
These endpoints accept the familyId parameter directly from user input without verifying that the requesting user has the EditRecords privilege required to modify the specified family record.
Attack Vector
The attack is conducted over the network and requires low-privilege authentication. An attacker who has obtained valid API credentials can exploit this vulnerability by:
- Authenticating to the ChurchCRM API with any valid user account
- Identifying target family IDs through enumeration or other information gathering
- Sending crafted HTTP requests to the vulnerable endpoints with manipulated familyId parameters
- Executing unauthorized operations including deactivating families, sending spam verification emails, marking families as verified, or triggering geocoding
The vulnerability does not require user interaction, and the attacker can systematically target all family records in the database. For technical details on the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39331
Indicators of Compromise
- Unusual API activity patterns on /family/{familyId}/verify, /family/{familyId}/activate, or /family/{familyId}/geocode endpoints from low-privilege accounts
- High volume of verification emails sent to family records in a short time period
- Unexplained changes to family activation status across multiple records
- API requests iterating through sequential or enumerated family ID values
Detection Strategies
- Monitor API logs for authenticated users accessing family records outside their normal scope or permission level
- Implement alerting for bulk operations targeting the vulnerable endpoints from a single user session
- Review application logs for verification email triggers that don't correlate with legitimate user workflows
- Analyze access patterns to identify potential IDOR exploitation attempts through parameter tampering
Monitoring Recommendations
- Enable detailed API request logging including user identity, requested family IDs, and operation outcomes
- Configure alerts for anomalous family record modification rates per user account
- Implement baseline monitoring for family activation/deactivation operations to detect statistical anomalies
- Cross-reference API activity with user privilege levels to identify authorization bypass attempts
How to Mitigate CVE-2026-39331
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Audit API access logs for evidence of exploitation prior to patching
- Review user accounts for any unauthorized privilege modifications
- Verify the integrity of family records that may have been tampered with
Patch Information
The vulnerability has been addressed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch implements proper role-based access control checks on the affected family API endpoints, ensuring that users must possess the EditRecords privilege before modifying family records.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict API access to trusted users only at the network level
- Implement web application firewall (WAF) rules to monitor and rate-limit requests to the vulnerable /family/{familyId}/ endpoints
- Temporarily disable API functionality if not critical to operations until the patch can be applied
- Apply additional authentication requirements or IP restrictions to the ChurchCRM application
# Example: Restrict access to ChurchCRM API endpoints via Apache configuration
<Location "/api/family">
Require ip 192.168.1.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
