Cyber Resilience

CVE-2026-40581

High

Published: 18 April 2026

Published
18 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0020 9.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40581 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and IA-11 (Re-authentication).

Deeper analysis

CVE-2026-40581 is a cross-site request forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system, affecting versions prior to 7.2.0. The issue lies in the family record deletion endpoint (SelectDelete.php), which executes permanent, irreversible deletions of family records and all associated data—such as notes, pledges, persons, and property—via a plain GET request without CSRF token validation. This flaw maps to CWE-352 (CSRF) and CWE-862 (Missing Authorization), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

Attackers can exploit this vulnerability without authentication by crafting a malicious webpage that, when visited by an authenticated administrator, silently triggers deletion of targeted family records and linked data with no additional user interaction beyond loading the page. Exploitation requires tricking a privileged user into visiting the attacker's controlled site, such as through phishing or social engineering, enabling network-based disruption with high integrity and availability impacts but no confidentiality loss.

The vulnerability has been fixed in ChurchCRM version 7.2.0. Mitigation involves upgrading to this patched release. Official details are available in the GitHub security advisory (GHSA-6qxv-xw9j-77pj), the fixing pull request (#8613), and the remediation commit (39361628613af7682b813f3e62a412559616d674).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…

more

attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

CSRF vuln in public-facing ChurchCRM web app (SelectDelete.php) directly enables T1190 exploitation for unauthorized actions and facilitates T1485 via permanent data deletion without CSRF protection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55046Shared CWE-352
CVE-2025-68547Shared CWE-862
CVE-2020-36852Shared CWE-862
CVE-2025-22784Shared CWE-352
CVE-2026-1169Shared CWE-352, CWE-862
CVE-2026-32817Shared CWE-862
CVE-2025-22657Shared CWE-862
CVE-2026-25443Shared CWE-862
CVE-2026-4365Shared CWE-862
CVE-2026-4094Shared CWE-862

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CSRF by requiring mechanisms such as anti-CSRF tokens to protect session authenticity and prevent forged cross-site requests from executing deletions.

prevent

Requires validation of all information inputs, including CSRF tokens or origin headers, to block illegitimate requests to the deletion endpoint.

prevent

Mandates re-authentication prior to privileged actions like family record deletions, which forged CSRF requests cannot provide without user interaction.

References