ChurchCRM Time-Based Blind SQL Injection Vulnerability (CVE-2026-34402)

ChurchCRM is an open-source church management system. Prior to version 7.1.0, the application suffers from a time-based blind SQL injection vulnerability (CVE-2026-34402). Authenticated users with either “Edit Records” or “Manage Groups” permissions can exploit this flaw. Successful exploitation allows attackers to exfiltrate or modify any database content, which could include user credentials, personally identifiable information (PII), and configuration secrets. The vulnerable endpoint is PropertyAssign.php. This vulnerability was addressed and fixed in version 7.1.0 of ChurchCRM. Defenders should prioritize patching vulnerable instances to prevent unauthorized access and data breaches.

Attack Chain

1. An attacker gains valid credentials for ChurchCRM, with “Edit Records” or “Manage Groups” permissions. This could be achieved through credential stuffing, password reuse, or other means.
2. The attacker crafts a malicious HTTP request targeting the PropertyAssign.php endpoint. This request contains a SQL injection payload within a parameter processed by the application.
3. The application processes the malicious SQL query, injecting it into the database query without proper sanitization.
4. Due to the blind nature of the SQL injection, the attacker uses time-based techniques (e.g., SLEEP()) to infer information about the database structure and content.
5. The attacker iterates through various SQL injection payloads, slowly extracting sensitive data such as usernames, password hashes, and other PII.
6. The attacker may modify database records to escalate privileges, create new administrative accounts, or sabotage the application’s functionality.
7. The attacker exfiltrates the stolen data.
8. The final objective is to compromise the confidentiality, integrity, and availability of the ChurchCRM database, potentially leading to significant data breaches and reputational damage.

Impact

Successful exploitation of CVE-2026-34402 can have serious consequences. An attacker can gain unauthorized access to sensitive data stored within the ChurchCRM database. This includes user credentials, PII, and configuration secrets. The attacker can also modify database records, potentially disrupting church operations or causing financial harm. Given the sensitive nature of the data often stored in church management systems, the impact of this vulnerability could be substantial. The vulnerability affects ChurchCRM installations prior to version 7.1.0.

Recommendation

• Upgrade ChurchCRM installations to version 7.1.0 or later to remediate CVE-2026-34402.
• Deploy the Sigma rule detecting requests to PropertyAssign.php with sleep commands to your SIEM and tune for your environment.
• Monitor web server logs for suspicious activity targeting the PropertyAssign.php endpoint.
• Implement web application firewall (WAF) rules to block SQL injection attempts.
• Review user access controls within ChurchCRM to ensure that only authorized personnel have “Edit Records” or “Manage Groups” permissions.