CVE-2026-40581 Overview
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.
Critical Impact
This CSRF vulnerability enables attackers to permanently destroy church family records, pledges, persons, and associated data through social engineering, causing irreversible data loss with no user confirmation required.
Affected Products
- ChurchCRM versions prior to 7.2.0
- ChurchCRM SelectDelete.php endpoint
- ChurchCRM Family Management Module
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40581 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40581
Vulnerability Analysis
This vulnerability represents a classic Cross-Site Request Forgery (CWE-352) flaw in ChurchCRM's family record management functionality. The SelectDelete.php endpoint accepts destructive deletion operations through unauthenticated GET requests without implementing any CSRF protection mechanisms. When an authenticated administrator visits an attacker-controlled webpage containing a malicious link or embedded resource pointing to the vulnerable endpoint, the browser automatically includes the administrator's session cookies with the request, authorizing the deletion operation.
The lack of CSRF token validation combined with the use of GET requests for state-changing operations violates fundamental web security principles. GET requests should be idempotent and safe, reserved only for data retrieval operations. Using GET for destructive actions like database record deletion is inherently dangerous and enables trivial exploitation through image tags, iframes, or simple hyperlinks.
Root Cause
The root cause of this vulnerability is the absence of CSRF token validation in the SelectDelete.php endpoint. The application fails to verify that deletion requests originate from legitimate user interactions within the application's interface. Additionally, the endpoint incorrectly uses the HTTP GET method for a destructive operation that permanently removes family records and all cascaded associated data including notes, pledges, persons, and property information.
Attack Vector
The attack leverages the network-accessible nature of the ChurchCRM application. An attacker crafts a malicious webpage, email, or forum post containing a hidden reference to the vulnerable deletion endpoint with the target family record ID. When an authenticated ChurchCRM administrator visits this malicious content, their browser automatically sends the GET request to the vulnerable endpoint. Because the administrator's session is active and no CSRF token is required, the server processes the deletion request as if it were a legitimate action performed by the administrator.
The exploitation requires minimal user interaction—the administrator simply needs to view the attacker's content while logged into ChurchCRM. The attack can be disguised within seemingly innocuous content such as an image that fails to load (using the malicious URL as the image source) or an invisible iframe, making detection extremely difficult.
Detection Methods for CVE-2026-40581
Indicators of Compromise
- Unexpected family record deletions appearing in application audit logs without corresponding administrator activity
- HTTP access logs showing GET requests to SelectDelete.php with external or unexpected referrer headers
- Multiple family record deletions occurring in rapid succession or during unusual hours
- User complaints about missing family data, pledges, or associated records
Detection Strategies
- Monitor web server access logs for GET requests to SelectDelete.php originating from external referrers or lacking expected application referrer headers
- Implement log correlation between deletion events and administrator session activity to identify unauthorized deletions
- Deploy web application firewall (WAF) rules to alert on state-changing requests lacking CSRF tokens
- Review application audit trails for bulk deletion patterns that may indicate automated exploitation
Monitoring Recommendations
- Enable verbose logging for all destructive database operations within ChurchCRM
- Configure alerting for deletion operations on the family records table during non-business hours
- Implement session activity monitoring to correlate administrator actions with expected user behavior
- Establish baseline metrics for record deletion frequency to detect anomalous spikes
How to Mitigate CVE-2026-40581
Immediate Actions Required
- Upgrade ChurchCRM to version 7.2.0 or later immediately
- Review application audit logs for any suspicious family record deletions since deployment
- Educate administrators about the risks of clicking unknown links or visiting untrusted websites while logged into ChurchCRM
- Consider implementing additional database-level backup procedures for critical family record data
Patch Information
The vulnerability has been addressed in ChurchCRM version 7.2.0. The fix implements proper CSRF token validation for the family record deletion endpoint and likely converts the operation to use POST requests with appropriate confirmation workflows.
Relevant patch resources:
- GitHub Commit Update - Contains the security fix
- GitHub Pull Request #8613 - Pull request with the patch
- GitHub Security Advisory GHSA-6qxv-xw9j-77pj - Official security advisory
Workarounds
- If immediate upgrade is not possible, implement a reverse proxy or WAF rule to block external referrers from accessing SelectDelete.php
- Restrict administrative access to ChurchCRM to trusted network segments or VPN connections only
- Instruct administrators to use dedicated browsers or private browsing sessions exclusively for ChurchCRM administrative tasks
- Implement network-level access controls to limit who can reach the ChurchCRM administrative interface
# Example: Apache configuration to restrict SelectDelete.php access
<Location "/SelectDelete.php">
# Deny requests without a valid internal referrer
SetEnvIf Referer "^https://your-churchcrm-domain\.com/" valid_referer
Require env valid_referer
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
