CVE-2026-39355
Published: 07 April 2026
Summary
CVE-2026-39355 is a critical-severity Missing Authorization (CWE-862) vulnerability in Kreaweb Genealogy. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for logical access, preventing unauthorized authenticated users from transferring ownership of arbitrary non-personal teams.
Employs least privilege to restrict low-privileged users from performing sensitive team ownership transfer operations.
Manages group and role memberships including team ownership assignments, ensuring only authorized personnel can modify team ownership.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control allows low-privileged authenticated users to transfer team ownership, directly enabling exploitation for privilege escalation to gain control of other users' workspaces and data.
NVD Description
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’…
more
team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
Deeper analysisAI
CVE-2026-39355 is a critical broken access control vulnerability (CWE-862) affecting Genealogy, an open-source family tree PHP application. In versions prior to 5.9.1, the flaw resides in the application's team management functionality, enabling improper handling of ownership transfers for non-personal teams. Assigned a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), it stems from insufficient validation that allows unauthorized manipulation of team ownership.
Any low-privileged authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation permits the attacker to transfer ownership of arbitrary non-personal teams to themselves, resulting in complete takeover of other users' team workspaces. This grants unrestricted access to all genealogy data associated with the compromised team, including confidential family tree information, with high impacts on confidentiality, integrity, and availability due to the changed scope.
The vulnerability is addressed in Genealogy version 5.9.1, as detailed in the GitHub security advisory (GHSA-2rq7-jqm7-w8x4). Security practitioners should urge users to upgrade to the patched version immediately and review access controls in multi-tenant team environments to prevent similar issues.
Details
- CWE(s)