CVE-2026-39327
SQL Injection in ChurchCRM MemberRoleChange.php Allows Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows authenticated users with limited privileges to execute arbitrary SQL commands, leading to unauthorized extraction, modification, or deletion of sensitive data.
Such unauthorized access and manipulation of data can compromise the confidentiality, integrity, and availability of personal and sensitive information stored in the database.
This poses significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal data and mandate controls to prevent unauthorized access and data breaches.
Failure to address this vulnerability could result in violations of these regulations, potentially leading to legal penalties, reputational damage, and loss of trust.
Can you explain this vulnerability to me?
CVE-2026-39327 is a high-severity SQL injection vulnerability found in ChurchCRM version 7.0.5, specifically in the endpoint /MemberRoleChange.php.
Authenticated users with the "Manage Groups & Roles" (ManageGroups) privilege can exploit this vulnerability by injecting arbitrary SQL commands through the NewRole parameter.
The vulnerability occurs because the NewRole parameter is taken as a string without proper integer validation and is directly concatenated into an SQL UPDATE statement without sanitization, allowing attackers to manipulate the database query.
This enables attackers to extract, modify, or delete sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, modification or deletion of database records, and potentially full database compromise.
Attackers with the ManageGroups role can perform SQL injection attacks to read confidential information, alter data integrity, or disrupt availability.
There is also a risk of privilege escalation and remote code execution depending on the database configuration and available SQL functions.
Overall, it poses a high risk to the confidentiality, integrity, and availability of the ChurchCRM system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /MemberRoleChange.php endpoint for SQL injection via the NewRole POST parameter.
One method is to intercept a POST request to /MemberRoleChange.php with parameters GroupID, PersonID, and Return, then modify the NewRole parameter to include an SQL injection payload such as: NewRole=2 AND (SELECT 7752 FROM (SELECT(SLEEP(5)))HEir). A 5-second delay in response indicates a successful injection.
Tools like Burp Suite can be used for manual testing of this injection.
Alternatively, sqlmap can be used with a crafted request file targeting the NewRole parameter to automate detection and database enumeration.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability is fixed.
Additionally, ensure proper input validation and use parameterized queries to prevent SQL injection attacks.