{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39331/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39331"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39331","churchcrm","authorization-bypass","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, and \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ChurchCRM API with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u003ccode\u003efamilyId\u003c/code\u003e that they do not have explicit modification rights for.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to one of the vulnerable endpoints: \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, or \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in the request URL with the target \u003ccode\u003efamilyId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor example, the attacker sends a POST request to \u003ccode\u003e/family/123/activate/false\u003c/code\u003e to deactivate family with ID 123.\u003c/li\u003e\n\u003cli\u003eDue to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary \u003ccode\u003eEditRecords\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe target family\u0026rsquo;s state is modified (e.g., deactivated, marked as verified).\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the vulnerable API endpoints (\u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e) as detected by the Sigma rule \u0026ldquo;ChurchCRM Family ID Manipulation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.\u003c/li\u003e\n\u003cli\u003eReview and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:44Z","date_published":"2026-04-07T18:16:44Z","id":"/briefs/2026-04-churchcrm-auth-bypass/","summary":"An authenticated API user of ChurchCRM prior to v7.1.0 can bypass authorization checks and modify arbitrary family records by manipulating the familyId parameter in API requests, leading to privilege escalation and potential data manipulation.","title":"ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39331","version":"https://jsonfeed.org/version/1.1"}