CVE-2026-39334 Overview
ChurchCRM is an open-source church management system. A SQL injection vulnerability was discovered in ChurchCRM versions prior to 7.1.0. The flaw exists in the /SettingsIndividual.php endpoint, where authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index. This allows attackers to extract and modify information from the database, potentially compromising sensitive congregational data.
Critical Impact
Authenticated users can exploit this SQL injection to extract sensitive database contents and modify records without requiring elevated privileges.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM 7.0.5 (confirmed vulnerable)
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39334 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39334
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) affects the /SettingsIndividual.php endpoint in ChurchCRM. The vulnerability stems from improper handling of the type array parameter, which accepts user-controlled input that is incorporated into SQL queries without adequate sanitization or parameterization.
The attack can be executed by any authenticated user, regardless of their privilege level within the ChurchCRM application. This is particularly concerning for church management systems that may have numerous volunteer users with basic access credentials. An attacker could leverage this vulnerability to read sensitive congregational information, financial data, or personal records stored in the database.
Root Cause
The root cause of this vulnerability is insufficient input validation and improper use of parameterized queries in the SettingsIndividual.php endpoint. The type array parameter allows index manipulation that passes user-controlled data directly into SQL statements without proper sanitization or use of prepared statements.
Attack Vector
The attack is network-based and requires only low-privilege authentication to exploit. An attacker with any valid ChurchCRM user account can craft malicious requests to the /SettingsIndividual.php endpoint, manipulating the type array parameter index to inject SQL commands.
The vulnerability allows both data extraction (using techniques like UNION-based or blind SQL injection) and data modification (using UPDATE or INSERT statements). Since the attack requires only basic authentication without specific privileges, the barrier to exploitation is relatively low for insider threats or compromised user accounts.
For technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39334
Indicators of Compromise
- Unusual or malformed HTTP requests to /SettingsIndividual.php containing SQL keywords in the type parameter
- Database query logs showing unexpected SQL statements or UNION-based injection patterns
- Application error logs indicating SQL syntax errors from the SettingsIndividual endpoint
- Anomalous database access patterns or bulk data extraction from authenticated sessions
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to ChurchCRM endpoints
- Monitor HTTP access logs for requests to /SettingsIndividual.php with suspicious type parameter values
- Enable database query logging and alert on queries containing injection signatures or unusual data access patterns
- Review authentication logs for accounts making repeated requests to the vulnerable endpoint
Monitoring Recommendations
- Configure SIEM alerts for SQL injection attempt patterns targeting ChurchCRM installations
- Implement real-time monitoring of database queries originating from the ChurchCRM application
- Set up alerts for bulk data retrieval or unusual UPDATE/INSERT operations against sensitive tables
- Monitor for new or unexpected user account creation that could indicate post-exploitation activity
How to Mitigate CVE-2026-39334
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately to address this vulnerability
- Restrict network access to ChurchCRM installations to trusted networks while preparing the upgrade
- Audit user accounts and remove unnecessary access privileges
- Review database logs for signs of prior exploitation
Patch Information
The vulnerability has been fixed in ChurchCRM version 7.1.0. Organizations running ChurchCRM should update to this version or later as soon as possible. The fix addresses the improper handling of the type array parameter in the /SettingsIndividual.php endpoint.
For additional details on the security fix, see the GitHub Security Advisory.
Workarounds
- Implement a Web Application Firewall (WAF) with rules to block SQL injection attempts against the vulnerable endpoint
- Restrict access to /SettingsIndividual.php at the web server level to trusted administrators only
- Disable or remove the affected functionality if not required while awaiting the upgrade
- Enable strict database user permissions to limit the impact of potential SQL injection attacks
# Example: Restrict access to vulnerable endpoint via Apache configuration
<Location /SettingsIndividual.php>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
