CVE-2026-39340 Overview
ChurchCRM is an open-source church management system that contains a SQL injection vulnerability in PropertyTypeEditor.php, part of the administration functionality for managing property type categories. The vulnerability was introduced when legacyFilterInput() — which both strips HTML and escapes SQL — was replaced with sanitizeText(), which only strips HTML. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries without SQL escaping.
Critical Impact
Any authenticated user with the MenuOptions role (a non-admin staff permission) can perform time-based blind SQL injection to exfiltrate sensitive data from the database, including password hashes of all users.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM PropertyTypeEditor.php component
- ChurchCRM Person Properties / Family Properties administration modules
Discovery Timeline
- 2026-04-07 - CVE-2026-39340 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39340
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) allows authenticated attackers with limited privileges to extract sensitive data from the ChurchCRM database. The attack exploits improper input sanitization in the PropertyTypeEditor.php file, which handles administration of property type categories accessible through the People → Person Properties / Family Properties menu paths.
The vulnerability is particularly dangerous because it can be exploited by users with only the MenuOptions role, which is intended for non-administrative staff members. This low privilege requirement significantly expands the potential attack surface, as any staff user could potentially exfiltrate the entire database contents.
Root Cause
The root cause of this vulnerability is the replacement of the legacyFilterInput() function with sanitizeText() during code refactoring. While legacyFilterInput() provided dual functionality — stripping HTML entities and escaping SQL special characters — the replacement sanitizeText() function only performs HTML sanitization. This left user-supplied input from the Name and Description fields completely unescaped when incorporated into SQL queries.
The affected code constructs INSERT and UPDATE statements by directly concatenating user input, creating a classic SQL injection condition where malicious payloads can modify query structure.
Attack Vector
The attack is network-based and requires low-complexity exploitation. An attacker with valid authentication credentials and the MenuOptions role can access the vulnerable Property Type Editor functionality through the administrative interface.
The attack works through time-based blind SQL injection, where an attacker injects SQL payloads into the Name or Description fields when creating or editing property types. By crafting conditional time delay statements, the attacker can infer database contents character by character. This technique allows complete exfiltration of database tables including user credentials and password hashes, despite the lack of direct query output visibility.
For detailed technical information about this vulnerability, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39340
Indicators of Compromise
- Unusual time delays in responses from the PropertyTypeEditor.php endpoint
- Anomalous property type entries containing SQL syntax characters such as single quotes, UNION statements, or SLEEP/BENCHMARK functions
- Excessive requests to /PropertyTypeEditor.php from a single authenticated user
- Database query logs showing malformed or suspicious SQL statements in INSERT/UPDATE operations for property types
Detection Strategies
- Monitor HTTP request logs for POST parameters to PropertyTypeEditor.php containing SQL injection patterns
- Implement Web Application Firewall (WAF) rules to detect common SQL injection payloads in form submissions
- Enable database query logging and alert on queries containing time-based functions like SLEEP(), BENCHMARK(), or WAITFOR DELAY
- Review ChurchCRM application logs for errors related to SQL syntax in property type operations
Monitoring Recommendations
- Configure alerting for database queries that exceed normal execution time thresholds
- Implement user behavior analytics to detect authenticated users accessing PropertyTypeEditor at unusual frequencies
- Monitor for bulk data access patterns that could indicate ongoing data exfiltration
- Audit MenuOptions role assignments and limit to essential personnel only
How to Mitigate CVE-2026-39340
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Audit existing property type entries for suspicious content that may indicate prior exploitation attempts
- Rotate all user passwords and API keys as a precaution if running a vulnerable version
- Review database access logs for evidence of time-based injection attacks
Patch Information
ChurchCRM has addressed this vulnerability in version 7.1.0. The fix restores proper SQL escaping for user-supplied input in the PropertyTypeEditor.php file. Organizations should upgrade to this version or later to remediate the vulnerability. For additional details, consult the GitHub Security Advisory.
Workarounds
- Restrict access to the Property Type Editor functionality by removing MenuOptions role from non-essential users until patching is complete
- Implement a Web Application Firewall (WAF) with SQL injection detection rules in front of the ChurchCRM application
- Temporarily disable the PropertyTypeEditor.php page if property type management is not immediately required
- Place the ChurchCRM instance behind a VPN or IP allowlist to limit network exposure
# Example: Restrict access to PropertyTypeEditor.php via Apache .htaccess
<Files "PropertyTypeEditor.php">
Require ip 192.168.1.0/24
# Or deny all access temporarily
# Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
