CVE-2026-40581
Published: 18 April 2026
Summary
CVE-2026-40581 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CSRF by requiring mechanisms such as anti-CSRF tokens to protect session authenticity and prevent forged cross-site requests from executing deletions.
Requires validation of all information inputs, including CSRF tokens or origin headers, to block illegitimate requests to the deletion endpoint.
Mandates re-authentication prior to privileged actions like family record deletions, which forged CSRF requests cannot provide without user interaction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing ChurchCRM web app (SelectDelete.php) directly enables T1190 exploitation for unauthorized actions and facilitates T1485 via permanent data deletion without CSRF protection.
NVD Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…
more
attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.
Deeper analysisAI
CVE-2026-40581 is a cross-site request forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system, affecting versions prior to 7.2.0. The issue lies in the family record deletion endpoint (SelectDelete.php), which executes permanent, irreversible deletions of family records and all associated data—such as notes, pledges, persons, and property—via a plain GET request without CSRF token validation. This flaw maps to CWE-352 (CSRF) and CWE-862 (Missing Authorization), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
Attackers can exploit this vulnerability without authentication by crafting a malicious webpage that, when visited by an authenticated administrator, silently triggers deletion of targeted family records and linked data with no additional user interaction beyond loading the page. Exploitation requires tricking a privileged user into visiting the attacker's controlled site, such as through phishing or social engineering, enabling network-based disruption with high integrity and availability impacts but no confidentiality loss.
The vulnerability has been fixed in ChurchCRM version 7.2.0. Mitigation involves upgrading to this patched release. Official details are available in the GitHub security advisory (GHSA-6qxv-xw9j-77pj), the fixing pull request (#8613), and the remediation commit (39361628613af7682b813f3e62a412559616d674).
Details
- CWE(s)