CVE-2026-39331
Received Received - Intake
Authorization Bypass in ChurchCRM API Allows Unauthorized Family Modifications

Publication date: 2026-04-07

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode lack role-based access control, allowing users to deactivate/reactivate arbitrary families, spam verification emails, and mark families as verified and trigger geocoding. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-10
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39331
EUVD
EUVD-2026-19826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized modification of family records, including deactivation/reactivation, verification, and triggering geocoding operations without proper authorization. Such unauthorized data modifications compromise data integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized access and modification of personal family data could potentially lead to non-compliance with data protection regulations that require strict access controls and data integrity safeguards.

Specifically, GDPR requires organizations to implement appropriate technical and organizational measures to ensure data security and prevent unauthorized access or alteration of personal data. This vulnerability violates those principles by allowing authenticated users without proper privileges to manipulate sensitive family records.


Can you explain this vulnerability to me?

CVE-2026-39331 is a high-severity API authorization bypass vulnerability in ChurchCRM versions up to 7.0.5. It allows an authenticated user without the required EditRecords privilege to modify any family record's state by changing the {familyId} parameter in API requests.

Five critical API endpoints lack proper role-based access control, allowing unauthorized users to deactivate/reactivate families, send spam verification emails, mark families as verified, and trigger geocoding operations.

The vulnerability arises because these endpoints only verify the existence of the family entity but do not enforce authorization checks based on user roles or ownership.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized modification of family records, including deactivation or reactivation of families, unauthorized verification, and triggering of geocoding operations.

Such unauthorized actions compromise data integrity by allowing changes without proper permissions and can impact availability by potentially causing denial-of-service if the external geocoding service fails.

Additionally, spamming family members with verification emails can cause nuisance and degrade user trust.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and testing the API endpoints that lack proper authorization checks. Specifically, the following endpoints should be tested for unauthorized access by an authenticated user without the EditRecords privilege:

  • POST /family/{familyId}/verify
  • GET /family/{familyId}/verify/url
  • POST /family/{familyId}/verify/now
  • POST /family/{familyId}/activate/{status}
  • POST /family/{familyId}/geocode

To detect exploitation attempts, you can use commands like curl to send requests to these endpoints with different familyId values and observe if unauthorized modifications are allowed. Example commands include:

  • curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/activate/0
  • curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/verify
  • curl -X POST -H "Authorization: Bearer <API_KEY>" https://<churchcrm-domain>/family/123/geocode

If these requests succeed without proper authorization errors, it indicates the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed by adding proper role-based access control to the affected API endpoints.

If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoints by network controls such as firewall rules or API gateway policies to limit authenticated user actions on these endpoints.

Additionally, monitor logs for suspicious activity involving the affected endpoints and familyId parameter manipulation to detect potential exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart