Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39331

CVE-2026-39331: ChurchCRM Auth Bypass Vulnerability

CVE-2026-39331 is an authentication bypass flaw in ChurchCRM that allows authenticated API users to modify family records without authorization. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-39331 Overview

CVE-2026-39331 is an Insecure Direct Object Reference (IDOR) vulnerability in ChurchCRM, an open-source church management system. Prior to version 7.1.0, authenticated API users can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. This broken access control vulnerability affects multiple API endpoints and allows unauthorized manipulation of family records.

Critical Impact

Authenticated users can bypass authorization controls to deactivate/reactivate arbitrary families, spam verification emails, mark families as verified, and trigger geocoding operations on any family record in the system.

Affected Products

  • ChurchCRM versions prior to 7.1.0

Discovery Timeline

  • 2026-04-07 - CVE CVE-2026-39331 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-39331

Vulnerability Analysis

This vulnerability stems from missing role-based access control (RBAC) on several family-related API endpoints. The ChurchCRM application fails to verify that the authenticated user has the necessary EditRecords privilege before processing requests that modify family record states. An attacker with any valid authentication can enumerate family IDs and perform unauthorized operations on arbitrary family records throughout the system.

The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), which describes scenarios where an application uses user-supplied input as a direct reference to an internal implementation object without proper authorization checks. In this case, the {familyId} parameter serves as the user-controlled key that references family records.

Root Cause

The root cause is the absence of authorization validation on family-related API endpoints. The following endpoints lack proper role-based access control:

  • /family/{familyId}/verify
  • /family/{familyId}/verify/url
  • /family/{familyId}/verify/now
  • /family/{familyId}/activate/{status}
  • /family/{familyId}/geocode

These endpoints accept the familyId parameter directly from user input without verifying that the requesting user has the EditRecords privilege required to modify the specified family record.

Attack Vector

The attack is conducted over the network and requires low-privilege authentication. An attacker who has obtained valid API credentials can exploit this vulnerability by:

  1. Authenticating to the ChurchCRM API with any valid user account
  2. Identifying target family IDs through enumeration or other information gathering
  3. Sending crafted HTTP requests to the vulnerable endpoints with manipulated familyId parameters
  4. Executing unauthorized operations including deactivating families, sending spam verification emails, marking families as verified, or triggering geocoding

The vulnerability does not require user interaction, and the attacker can systematically target all family records in the database. For technical details on the vulnerability mechanism, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-39331

Indicators of Compromise

  • Unusual API activity patterns on /family/{familyId}/verify, /family/{familyId}/activate, or /family/{familyId}/geocode endpoints from low-privilege accounts
  • High volume of verification emails sent to family records in a short time period
  • Unexplained changes to family activation status across multiple records
  • API requests iterating through sequential or enumerated family ID values

Detection Strategies

  • Monitor API logs for authenticated users accessing family records outside their normal scope or permission level
  • Implement alerting for bulk operations targeting the vulnerable endpoints from a single user session
  • Review application logs for verification email triggers that don't correlate with legitimate user workflows
  • Analyze access patterns to identify potential IDOR exploitation attempts through parameter tampering

Monitoring Recommendations

  • Enable detailed API request logging including user identity, requested family IDs, and operation outcomes
  • Configure alerts for anomalous family record modification rates per user account
  • Implement baseline monitoring for family activation/deactivation operations to detect statistical anomalies
  • Cross-reference API activity with user privilege levels to identify authorization bypass attempts

How to Mitigate CVE-2026-39331

Immediate Actions Required

  • Upgrade ChurchCRM to version 7.1.0 or later immediately
  • Audit API access logs for evidence of exploitation prior to patching
  • Review user accounts for any unauthorized privilege modifications
  • Verify the integrity of family records that may have been tampered with

Patch Information

The vulnerability has been addressed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch implements proper role-based access control checks on the affected family API endpoints, ensuring that users must possess the EditRecords privilege before modifying family records.

For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • If immediate patching is not possible, restrict API access to trusted users only at the network level
  • Implement web application firewall (WAF) rules to monitor and rate-limit requests to the vulnerable /family/{familyId}/ endpoints
  • Temporarily disable API functionality if not critical to operations until the patch can be applied
  • Apply additional authentication requirements or IP restrictions to the ChurchCRM application
bash
# Example: Restrict access to ChurchCRM API endpoints via Apache configuration
<Location "/api/family">
    Require ip 192.168.1.0/24
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.