Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40581

CVE-2026-40581: ChurchCRM CSRF Vulnerability

CVE-2026-40581 is a CSRF flaw in ChurchCRM that allows attackers to silently delete family records and associated data when admins visit malicious pages. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-40581 Overview

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

Critical Impact

This CSRF vulnerability enables attackers to permanently destroy church family records, pledges, persons, and associated data through social engineering, causing irreversible data loss with no user confirmation required.

Affected Products

  • ChurchCRM versions prior to 7.2.0
  • ChurchCRM SelectDelete.php endpoint
  • ChurchCRM Family Management Module

Discovery Timeline

  • 2026-04-18 - CVE CVE-2026-40581 published to NVD
  • 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-40581

Vulnerability Analysis

This vulnerability represents a classic Cross-Site Request Forgery (CWE-352) flaw in ChurchCRM's family record management functionality. The SelectDelete.php endpoint accepts destructive deletion operations through unauthenticated GET requests without implementing any CSRF protection mechanisms. When an authenticated administrator visits an attacker-controlled webpage containing a malicious link or embedded resource pointing to the vulnerable endpoint, the browser automatically includes the administrator's session cookies with the request, authorizing the deletion operation.

The lack of CSRF token validation combined with the use of GET requests for state-changing operations violates fundamental web security principles. GET requests should be idempotent and safe, reserved only for data retrieval operations. Using GET for destructive actions like database record deletion is inherently dangerous and enables trivial exploitation through image tags, iframes, or simple hyperlinks.

Root Cause

The root cause of this vulnerability is the absence of CSRF token validation in the SelectDelete.php endpoint. The application fails to verify that deletion requests originate from legitimate user interactions within the application's interface. Additionally, the endpoint incorrectly uses the HTTP GET method for a destructive operation that permanently removes family records and all cascaded associated data including notes, pledges, persons, and property information.

Attack Vector

The attack leverages the network-accessible nature of the ChurchCRM application. An attacker crafts a malicious webpage, email, or forum post containing a hidden reference to the vulnerable deletion endpoint with the target family record ID. When an authenticated ChurchCRM administrator visits this malicious content, their browser automatically sends the GET request to the vulnerable endpoint. Because the administrator's session is active and no CSRF token is required, the server processes the deletion request as if it were a legitimate action performed by the administrator.

The exploitation requires minimal user interaction—the administrator simply needs to view the attacker's content while logged into ChurchCRM. The attack can be disguised within seemingly innocuous content such as an image that fails to load (using the malicious URL as the image source) or an invisible iframe, making detection extremely difficult.

Detection Methods for CVE-2026-40581

Indicators of Compromise

  • Unexpected family record deletions appearing in application audit logs without corresponding administrator activity
  • HTTP access logs showing GET requests to SelectDelete.php with external or unexpected referrer headers
  • Multiple family record deletions occurring in rapid succession or during unusual hours
  • User complaints about missing family data, pledges, or associated records

Detection Strategies

  • Monitor web server access logs for GET requests to SelectDelete.php originating from external referrers or lacking expected application referrer headers
  • Implement log correlation between deletion events and administrator session activity to identify unauthorized deletions
  • Deploy web application firewall (WAF) rules to alert on state-changing requests lacking CSRF tokens
  • Review application audit trails for bulk deletion patterns that may indicate automated exploitation

Monitoring Recommendations

  • Enable verbose logging for all destructive database operations within ChurchCRM
  • Configure alerting for deletion operations on the family records table during non-business hours
  • Implement session activity monitoring to correlate administrator actions with expected user behavior
  • Establish baseline metrics for record deletion frequency to detect anomalous spikes

How to Mitigate CVE-2026-40581

Immediate Actions Required

  • Upgrade ChurchCRM to version 7.2.0 or later immediately
  • Review application audit logs for any suspicious family record deletions since deployment
  • Educate administrators about the risks of clicking unknown links or visiting untrusted websites while logged into ChurchCRM
  • Consider implementing additional database-level backup procedures for critical family record data

Patch Information

The vulnerability has been addressed in ChurchCRM version 7.2.0. The fix implements proper CSRF token validation for the family record deletion endpoint and likely converts the operation to use POST requests with appropriate confirmation workflows.

Relevant patch resources:

Workarounds

  • If immediate upgrade is not possible, implement a reverse proxy or WAF rule to block external referrers from accessing SelectDelete.php
  • Restrict administrative access to ChurchCRM to trusted network segments or VPN connections only
  • Instruct administrators to use dedicated browsers or private browsing sessions exclusively for ChurchCRM administrative tasks
  • Implement network-level access controls to limit who can reach the ChurchCRM administrative interface
bash
# Example: Apache configuration to restrict SelectDelete.php access
<Location "/SelectDelete.php">
    # Deny requests without a valid internal referrer
    SetEnvIf Referer "^https://your-churchcrm-domain\.com/" valid_referer
    Require env valid_referer
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.