Authorization bypass through user-controlled key in ChurchCRM - CVE-2026-39331
Published: April 9, 2026
Vulnerability identifier: #VU125703
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39331
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to modify arbitrary family records and trigger unauthorized family operations.
The vulnerability exists due to authorization bypass through a user-controlled key in the family API endpoints in src/api/routes/people/people-family.php when handling requests with a modified {familyId} parameter. A remote user can send specially crafted API requests to modify arbitrary family records and trigger unauthorized family operations.
The affected endpoints can be used to activate or deactivate families, trigger verification actions and emails, and invoke geocoding for arbitrary families.
How to mitigate CVE-2026-39331
Install security update from vendor's website.