CVE-2026-39341 Overview
ChurchCRM, an open-source church management system, contains a time-based SQL injection vulnerability in versions prior to 7.1.0. The vulnerability exists due to improper input validation in the Reports/ConfirmReportEmail.php endpoint. Specifically, the familyId parameter is not correctly sanitized, and critically, even when sanitization occurs, the sanitized input is not used when constructing the SQL query—allowing attackers to inject malicious SQL statements.
Critical Impact
Authenticated attackers can exploit this SQL injection to extract sensitive church member data, modify database records, and potentially compromise the entire ChurchCRM database containing personal information of congregation members.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM CRM application with exposed Reports/ConfirmReportEmail.php endpoint
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39341 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39341
Vulnerability Analysis
This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The flaw resides in the Reports/ConfirmReportEmail.php endpoint, which accepts a familyId parameter from user input. While the application appears to implement input sanitization, the critical flaw is that the sanitized value is never actually used in the subsequent SQL query construction—rendering the sanitization completely ineffective.
The time-based nature of this SQL injection means attackers can extract data by observing response timing differences when injecting conditional time-delay statements (such as SLEEP() in MySQL). This technique allows data exfiltration even when the application does not return query results directly to the user.
Root Cause
The root cause is a logical programming error where input sanitization is performed but the original, unsanitized user input is subsequently used to build the SQL query. This represents a common secure coding mistake where developers implement security controls but fail to properly integrate them into the data flow. The disconnect between sanitization logic and query construction creates a direct path for SQL injection attacks.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with low privileges. An attacker can craft malicious requests to the Reports/ConfirmReportEmail.php endpoint with specially crafted familyId parameter values containing SQL injection payloads. The time-based blind SQL injection technique allows attackers to:
- Enumerate database structure and table names
- Extract sensitive data character-by-character using conditional time delays
- Potentially modify or delete database records depending on database permissions
- Access personal information of church members stored in the system
The attack does not require user interaction and can be automated using standard SQL injection tools once an attacker has basic authentication to the ChurchCRM system.
Detection Methods for CVE-2026-39341
Indicators of Compromise
- Unusual response times from the Reports/ConfirmReportEmail.php endpoint indicating time-based SQL injection attempts
- HTTP requests containing SQL keywords such as SLEEP(), BENCHMARK(), WAITFOR, or pg_sleep() in the familyId parameter
- Multiple sequential requests to the same endpoint with incrementally modified payloads
- Database query logs showing anomalous queries with time-delay functions
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the familyId parameter
- Monitor application logs for requests to Reports/ConfirmReportEmail.php containing suspicious characters or SQL syntax
- Deploy database activity monitoring to identify queries with unusual execution times or time-delay functions
- Use intrusion detection systems with signatures for time-based SQL injection techniques
Monitoring Recommendations
- Enable detailed logging for the Reports/ConfirmReportEmail.php endpoint and review for anomalous input patterns
- Configure alerting for database queries exceeding normal execution time thresholds
- Monitor authentication logs for accounts making repeated requests to report generation endpoints
- Review web server access logs for automated scanning patterns targeting PHP endpoints
How to Mitigate CVE-2026-39341
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Restrict access to the Reports/ConfirmReportEmail.php endpoint to only trusted administrative users
- Implement WAF rules to block SQL injection attempts while planning the upgrade
- Review database access logs for evidence of prior exploitation
Patch Information
The vulnerability has been fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to address the SQL injection vulnerability. The fix ensures that properly sanitized input is used when constructing SQL queries, eliminating the injection vector. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level access controls to limit who can reach the ChurchCRM application
- Use a reverse proxy or WAF to filter requests containing SQL injection patterns in the familyId parameter
- Temporarily disable or restrict access to the Reports/ConfirmReportEmail.php endpoint if report functionality is not critical
- Apply principle of least privilege to the database user account used by ChurchCRM to limit potential damage from successful exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
