Compliance Impact

This vulnerability allows unauthorized modification of family records, including deactivation/reactivation, verification, and triggering geocoding operations without proper authorization. Such unauthorized data modifications compromise data integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized access and modification of personal family data could potentially lead to non-compliance with data protection regulations that require strict access controls and data integrity safeguards.

Specifically, GDPR requires organizations to implement appropriate technical and organizational measures to ensure data security and prevent unauthorized access or alteration of personal data. This vulnerability violates those principles by allowing authenticated users without proper privileges to manipulate sensitive family records.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-39331 is a high-severity API authorization bypass vulnerability in ChurchCRM versions up to 7.0.5. It allows an authenticated user without the required EditRecords privilege to modify any family record's state by changing the {familyId} parameter in API requests.

Five critical API endpoints lack proper role-based access control, allowing unauthorized users to deactivate/reactivate families, send spam verification emails, mark families as verified, and trigger geocoding operations.

The vulnerability arises because these endpoints only verify the existence of the family entity but do not enforce authorization checks based on user roles or ownership.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized modification of family records, including deactivation or reactivation of families, unauthorized verification, and triggering of geocoding operations.

Such unauthorized actions compromise data integrity by allowing changes without proper permissions and can impact availability by potentially causing denial-of-service if the external geocoding service fails.

Additionally, spamming family members with verification emails can cause nuisance and degrade user trust.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the API endpoints that lack proper authorization checks. Specifically, the following endpoints should be tested for unauthorized access by an authenticated user without the EditRecords privilege:

• POST /family/{familyId}/verify
• GET /family/{familyId}/verify/url
• POST /family/{familyId}/verify/now
• POST /family/{familyId}/activate/{status}
• POST /family/{familyId}/geocode

To detect exploitation attempts, you can use commands like curl to send requests to these endpoints with different familyId values and observe if unauthorized modifications are allowed. Example commands include:

• curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/activate/0
• curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/verify
• curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/geocode

If these requests succeed without proper authorization errors, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed by adding proper role-based access control to the affected API endpoints.

If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoints by network controls such as firewall rules or API gateway policies to limit authenticated user actions on these endpoints.

Additionally, monitor logs for suspicious activity involving the affected endpoints and familyId parameter manipulation to detect potential exploitation attempts.

Useful 0 Not Useful 0