CVE-2026-39342 Overview
ChurchCRM is an open-source church management system. Prior to version 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to SQL injection. The vulnerability exists in the "Advanced Search" query feature and requires an authenticated user with access to Data/Reports > Query Menu. This SQL injection flaw allows attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, or complete database compromise.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to extract sensitive church member data, modify database records, or potentially escalate to full database server compromise.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM installations with Query Menu access enabled
- Systems with authenticated users having Data/Reports permissions
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39342 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39342
Vulnerability Analysis
This vulnerability is classified as CWE-89: SQL Injection, a critical web application vulnerability that occurs when user-supplied input is improperly incorporated into SQL queries without adequate sanitization or parameterization.
The vulnerable endpoint resides in QueryView.php when processing the searchwhat parameter in conjunction with QueryID=15. This specific query ID corresponds to the "Advanced Search" functionality within ChurchCRM's reporting module. When an authenticated user with appropriate permissions submits a crafted search request, the application fails to properly validate or escape the input, allowing malicious SQL syntax to be executed directly against the underlying database.
The network-accessible nature of this vulnerability combined with low attack complexity makes it particularly dangerous in internet-facing deployments. While authentication is required, the level of access needed (Data/Reports > Query Menu) is commonly granted to administrative staff, increasing the potential attack surface.
Root Cause
The root cause of this vulnerability is improper input validation in the QueryView.php file. The searchwhat parameter is concatenated directly into SQL queries without proper sanitization, parameterization, or prepared statement usage. This allows specially crafted input containing SQL syntax to alter the intended query logic and execute arbitrary database commands.
Attack Vector
The attack vector requires network access to the ChurchCRM application and valid credentials for a user account with Data/Reports > Query Menu permissions. An attacker would navigate to the QueryView.php endpoint with QueryID=15 and inject malicious SQL code through the searchwhat parameter.
The exploitation process involves crafting SQL payloads designed to:
- Extract sensitive information from the database through UNION-based or blind SQL injection techniques
- Modify or delete database records
- Potentially achieve command execution depending on database configuration and privileges
For technical details regarding the vulnerability mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39342
Indicators of Compromise
- Unusual or malformed requests to QueryView.php containing SQL keywords such as UNION, SELECT, DROP, or comment characters (--, /**/)
- Unexpected database queries originating from the web application
- Database errors logged indicating syntax issues or injection attempts
- Anomalous data access patterns in church member records
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in requests to QueryView.php
- Monitor application logs for requests containing suspicious characters or SQL syntax in the searchwhat parameter
- Enable database query logging and alert on queries with unusual structure or content
- Deploy SentinelOne Singularity XDR to detect anomalous process behavior and database access patterns
Monitoring Recommendations
- Configure alerts for multiple failed or unusual queries to the QueryView.php endpoint
- Monitor for bulk data extraction attempts or unusual database dump activities
- Review authentication logs for accounts accessing the Query Menu feature
- Implement network traffic analysis to detect potential data exfiltration
How to Mitigate CVE-2026-39342
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Restrict access to the Query Menu feature to only essential personnel
- Review user accounts with Data/Reports permissions and remove unnecessary access
- Enable web application firewall rules to block SQL injection attempts
Patch Information
ChurchCRM has addressed this vulnerability in version 7.1.0. Organizations should update their installations to this version or later to remediate the SQL injection flaw. The patch information is available through the GitHub Security Advisory.
Workarounds
- Disable or restrict access to the "Advanced Search" query (QueryID=15) until patching is complete
- Implement network-level access controls to limit who can reach the ChurchCRM application
- Deploy a web application firewall with SQL injection detection rules in blocking mode
- Consider temporarily disabling the Query Menu functionality for non-essential users
# Example: Restrict access to QueryView.php at the web server level (Apache)
# Add to .htaccess or Apache configuration
<Files "QueryView.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
