CVE-2026-39318
Received Received - Intake
SQL Injection in ChurchCRM GroupPropsFormRowOps.php Allows Data Manipulation

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39318
EUVD
EUVD-2026-19808
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39318 is a critical SQL injection vulnerability found in ChurchCRM versions 7.0.5 and earlier, specifically in the GroupPropsFormRowOps.php file.

The vulnerability occurs because user input from the "Field" parameter is directly inserted into SQL queries without proper sanitization. The function mysqli_real_escape_string() used to sanitize input does not escape backtick (`) characters, which allows attackers to break out of the SQL identifier context.

This enables attackers to execute arbitrary SQL commands, such as dropping database tables or modifying data.

To exploit this vulnerability, an attacker must have a valid ChurchCRM user account with the "ManageGroups" permission and target a group where grp_hasSpecialProps=1. The "Field" parameter must correspond to a property registered in the groupprop_master table.

The issue was fixed in ChurchCRM version 7.1.0 by validating the "Field" parameter against a whitelist of valid fields.

Impact Analysis

This vulnerability can have severe impacts on the confidentiality, integrity, and availability of your ChurchCRM system.

An attacker exploiting this SQL injection can execute arbitrary SQL commands, which may include dropping database tables, modifying or deleting data, and gaining unauthorized access to sensitive information.

Because the attack requires only low complexity, low privileges, and no user interaction, it poses a significant risk to systems running vulnerable versions.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP GET requests targeting the GroupPropsFormRowOps.php file with crafted 'Field' parameters that include SQL injection payloads, such as backtick characters and SQL commands (e.g., `Field=c1`; DROP TABLE injection_proof_table#`).

Detection can involve inspecting web server logs or using network monitoring tools to identify such malicious requests.

Example commands to detect potential exploitation attempts include using grep on web server logs:

  • grep 'GroupPropsFormRowOps.php' /var/log/apache2/access.log | grep 'Field='
  • grep -E 'Field=.*`|Field=.*DROP|Field=.*;|Field=.*#' /var/log/apache2/access.log

Additionally, using intrusion detection systems (IDS) with SQL injection signatures or web application firewalls (WAF) can help detect and alert on such malicious inputs.

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability in GroupPropsFormRowOps.php has been fixed.

Until the upgrade can be performed, restrict access to the affected functionality by limiting user permissions, especially the 'ManageGroups' permission, to trusted users only.

Implement input validation by ensuring the 'Field' parameter is validated against a whitelist of valid fields retrieved from the groupprop_master table, rejecting any input not in this list.

Consider deploying web application firewalls (WAF) or intrusion prevention systems (IPS) to block malicious SQL injection attempts targeting this vulnerability.

Compliance Impact

The SQL injection vulnerability in ChurchCRM allows attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the system's data.

Such a compromise can lead to unauthorized access, modification, or deletion of sensitive data, which may include personal or protected information managed by the system.

This poses a risk to compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data against unauthorized access and ensure data integrity and availability.

Failure to address this vulnerability could result in violations of these regulations, potentially leading to legal penalties, reputational damage, and loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart