CVE-2026-39331
Published: 07 April 2026
Summary
CVE-2026-39331 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces role-based access control policies to block unauthorized modifications to arbitrary family records via manipulated familyId parameters in API endpoints.
Applies least privilege to restrict authenticated users from accessing or modifying family records beyond their assigned permissions, mitigating privilege bypass.
Validates user-controlled familyId inputs against user authorizations to prevent bypass of EditRecords privilege in vulnerable API endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing RBAC in public-facing ChurchCRM API endpoints enables exploitation of the web application (T1190) and direct unauthorized modification of stored family records (T1565.001).
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege.…
more
/family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode lack role-based access control, allowing users to deactivate/reactivate arbitrary families, spam verification emails, and mark families as verified and trigger geocoding. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39331 affects ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The vulnerability stems from missing role-based access control (RBAC) in several API endpoints, including /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode. This allows an authenticated API user to modify the state of any family record simply by altering the {familyId} parameter in requests, bypassing required privileges such as EditRecords. It is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization).
An attacker with low-privilege authenticated access to the ChurchCRM API can exploit this issue remotely over the network with minimal complexity and no user interaction required. By manipulating the familyId parameter, they can deactivate or reactivate arbitrary family records, spam verification emails to targeted families, prematurely mark families as verified, or trigger geocoding operations. This leads to high integrity and availability impacts, enabling unauthorized data manipulation and potential denial-of-service effects through resource exhaustion via repeated verification or geocoding requests.
The ChurchCRM security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vwh8-x823-wjc5 confirms the issue and states that it is fixed in version 7.1.0, recommending immediate upgrades to mitigate the vulnerability.
Details
- CWE(s)