CVE-2026-39342 Overview
ChurchCRM is an open-source church management system used by religious organizations to manage members, donations, and events. CVE-2026-39342 is a SQL injection vulnerability [CWE-89] affecting ChurchCRM versions prior to 7.1.0. The flaw resides in the searchwhat parameter handled by QueryView.php when invoked with QueryID=15 (the Advanced Search query). An authenticated user with access to Data/Reports > Query Menu can inject arbitrary SQL statements. The vulnerability is fixed in ChurchCRM 7.1.0.
Critical Impact
Authenticated attackers can read, modify, or destroy database contents — including member records, financial data, and credentials — through SQL injection in the Advanced Search query.
Affected Products
- ChurchCRM versions prior to 7.1.0
- QueryView.php endpoint with QueryID=15 (Advanced Search)
- Deployments exposing the Query Menu to authenticated users
Discovery Timeline
- 2026-04-07 - CVE-2026-39342 published to NVD
- 2026-04-10 - Last updated in NVD database
Technical Details for CVE-2026-39342
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the Advanced Search functionality of ChurchCRM. When a user submits a query through QueryView.php with QueryID=15, the application passes the searchwhat parameter into a SQL statement without sufficient sanitization or parameterization. An authenticated user with access to the Query Menu and the Advanced Search query can supply crafted input that breaks out of the intended query context. The injected SQL executes with the privileges of the ChurchCRM database user, granting access to the entire application database.
Root Cause
The root cause is improper neutralization of user-supplied input in a SQL query. The searchwhat parameter is concatenated into the dynamic SQL constructed by the Advanced Search handler rather than being bound as a parameter. Because the value is treated as part of the query syntax, attackers can append clauses such as UNION SELECT, modify WHERE conditions, or terminate the original statement and stack additional commands depending on driver configuration.
Attack Vector
Exploitation requires network access to the ChurchCRM web interface and an authenticated account with permission to the Data/Reports > Query Menu and the Advanced Search query. The attacker issues an HTTP request to QueryView.php with QueryID=15 and a malicious searchwhat value. No user interaction beyond the attacker's own session is required. Because many ChurchCRM deployments grant report access to broad user roles, the privilege barrier is often low in practice.
No public proof-of-concept exploit has been published. Technical details are described in the GitHub Security Advisory GHSA-7fr4-mvfm-cxfx.
Detection Methods for CVE-2026-39342
Indicators of Compromise
- HTTP requests to QueryView.php containing QueryID=15 and SQL meta-characters (', --, UNION, SELECT, ;) in the searchwhat parameter
- Web server access logs showing unusually long or encoded searchwhat values from authenticated sessions
- Unexpected database errors or large result sets logged by the ChurchCRM application
- Outbound traffic or data exfiltration originating from the ChurchCRM database host
Detection Strategies
- Inspect web access logs for GET or POST requests to QueryView.php?QueryID=15 and flag non-alphanumeric content in searchwhat
- Deploy a web application firewall rule targeting SQL injection patterns on the ChurchCRM URI path
- Enable MySQL or MariaDB general query logging temporarily to identify malformed queries originating from the application
- Correlate authentication events with Advanced Search activity to spot abuse by compromised accounts
Monitoring Recommendations
- Monitor for new or modified database users, privilege grants, and schema changes within the ChurchCRM database
- Alert on bulk reads from sensitive tables such as person_per, family_fam, and credential or donation tables
- Track failed login attempts followed by successful logins targeting accounts with report access
- Review audit logs for the Query Menu and Advanced Search usage at least weekly
How to Mitigate CVE-2026-39342
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later without delay
- Restrict access to Data/Reports > Query Menu to a minimal set of trusted administrators until patching is complete
- Rotate database credentials and any application secrets that may have been exposed if exploitation is suspected
- Review user accounts and revoke unnecessary report or query permissions
Patch Information
The vulnerability is fixed in ChurchCRM 7.1.0. Upgrade instructions and the security advisory are available at the ChurchCRM GitHub Security Advisory GHSA-7fr4-mvfm-cxfx. Administrators should back up the database before applying the upgrade and verify that the QueryView.php handler reflects the patched code.
Workarounds
- Disable or remove the Advanced Search query (QueryID=15) from the Query Menu until the upgrade is applied
- Place the ChurchCRM instance behind a web application firewall with SQL injection signatures enabled
- Limit the ChurchCRM database account to least-privilege permissions, removing FILE, DROP, and administrative rights
- Restrict network access to the ChurchCRM administrative interface to trusted source addresses
# Example: restrict database privileges for the ChurchCRM user
REVOKE ALL PRIVILEGES ON churchcrm.* FROM 'churchcrm_user'@'localhost';
GRANT SELECT, INSERT, UPDATE, DELETE ON churchcrm.* TO 'churchcrm_user'@'localhost';
FLUSH PRIVILEGES;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
