Main Vulnerability Database Vulnerabilities #VU125703

#VU125703 Authorization bypass through user-controlled key in ChurchCRM - CVE-2026-39331

Published: April 9, 2026

Vulnerability identifier: #VU125703

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39331

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to modify arbitrary family records and trigger unauthorized family operations.

The vulnerability exists due to authorization bypass through a user-controlled key in the family API endpoints in src/api/routes/people/people-family.php when handling requests with a modified {familyId} parameter. A remote user can send specially crafted API requests to modify arbitrary family records and trigger unauthorized family operations.

The affected endpoints can be used to activate or deactivate families, trigger verification actions and emails, and invoke geocoding for arbitrary families.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vwh8-x823-wjc5

#VU125703 Authorization bypass through user-controlled key in ChurchCRM - CVE-2026-39331

Description

Remediation

External links

Please verify you're human