Cyber Resilience

CVE-2026-39355

CriticalPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0032 23.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39355 is a critical-severity Missing Authorization (CWE-862) vulnerability in Kreaweb Genealogy. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-39355 is a critical broken access control vulnerability (CWE-862) affecting Genealogy, an open-source family tree PHP application. In versions prior to 5.9.1, the flaw resides in the application's team management functionality, enabling improper handling of ownership transfers for non-personal teams. Assigned a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), it stems from insufficient validation that allows unauthorized manipulation of team ownership.

Any low-privileged authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation permits the attacker to transfer ownership of arbitrary non-personal teams to themselves, resulting in complete takeover of other users' team workspaces. This grants unrestricted access to all genealogy data associated with the compromised team, including confidential family tree information, with high impacts on confidentiality, integrity, and availability due to the changed scope.

The vulnerability is addressed in Genealogy version 5.9.1, as detailed in the GitHub security advisory (GHSA-2rq7-jqm7-w8x4). Security practitioners should urge users to upgrade to the patched version immediately and review access controls in multi-tenant team environments to prevent similar issues.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’…

more

team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Broken access control allows low-privileged authenticated users to transfer team ownership, directly enabling exploitation for privilege escalation to gain control of other users' workspaces and data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862
CVE-2026-40349Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2025-7665Shared CWE-862
CVE-2024-11936Shared CWE-862
CVE-2025-2815Shared CWE-862

Affected Assets

kreaweb
genealogy
≤ 5.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for logical access, preventing unauthorized authenticated users from transferring ownership of arbitrary non-personal teams.

prevent

Employs least privilege to restrict low-privileged users from performing sensitive team ownership transfer operations.

prevent

Manages group and role memberships including team ownership assignments, ensuring only authorized personnel can modify team ownership.

References