Main Vulnerability Database Vulnerabilities #VU129695

Missing Authorization in ChurchCRM - #VU129695

Published: May 5, 2026

Vulnerability identifier: #VU129695

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to modify family status and generate verification tokens.

The vulnerability exists due to missing authorization in the family activate and verify endpoints when handling authenticated requests to POST /api/family/{familyId}/activate/{status}, /verify, /verify/now, and GET /verify/url. A remote user can send crafted requests to modify family status and generate verification tokens.

The affected routes also allow sending verification emails.

Remediation

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p2wq-xvr2-wq63

Missing Authorization in ChurchCRM - #VU129695

Detailed vulnerability description

Remediation

Sources

Please verify you're human