{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39355/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-39355"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["broken-access-control","php","genealogy","CVE-2026-39355"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGenealogy is a family tree PHP application that, prior to version 5.9.1, contained a critical broken access control vulnerability identified as CVE-2026-39355. This flaw allows any authenticated user to transfer ownership of non-personal teams to themselves without proper authorization checks. This unauthorized ownership transfer leads to complete takeover of other users’ team workspaces, granting the attacker unrestricted access to all genealogy data associated with the compromised team. This vulnerability poses a significant risk to data confidentiality and integrity within organizations using affected versions of the Genealogy application. Version 5.9.1 addresses and resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Genealogy application with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u0026ldquo;team\u0026rdquo; within the application that is not their own.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the application\u0026rsquo;s team ownership transfer functionality, specifying the target team and the attacker\u0026rsquo;s user ID as the new owner.\u003c/li\u003e\n\u003cli\u003eDue to the broken access control vulnerability (CVE-2026-39355), the application fails to validate the attacker\u0026rsquo;s authorization to perform the ownership transfer.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly updates the team\u0026rsquo;s ownership data, assigning ownership to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker now possesses full administrative control over the compromised team\u0026rsquo;s workspace and data.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and exfiltrates sensitive genealogy data, including family trees, personal information, and other confidential records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39355 allows an attacker to gain complete control over targeted teams within the Genealogy application. This leads to unauthorized access to sensitive genealogy data, potentially impacting all users and families represented within the compromised teams. The impact includes data exfiltration, modification, or deletion, potentially causing significant reputational damage and legal liabilities. While the exact number of affected installations is unknown, all organizations running versions prior to 5.9.1 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade the Genealogy application to version 5.9.1 or later to patch CVE-2026-39355.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to team management endpoints, specifically those related to team ownership transfer. Use the provided Sigma rule \u003ccode\u003eDetect Suspicious Genealogy Team Ownership Transfer\u003c/code\u003e to detect unauthorized attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies within the Genealogy application, ensuring that users can only access and modify data related to teams they are authorized to manage.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for all user authentication and authorization events within the Genealogy application to facilitate incident investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T19:16:46Z","date_published":"2026-04-07T19:16:46Z","id":"/briefs/2026-04-genealogy-acl/","summary":"A critical broken access control vulnerability (CVE-2026-39355) in Genealogy PHP application versions prior to 5.9.1 allows authenticated users to transfer ownership of arbitrary teams, leading to complete takeover of team workspaces and unrestricted data access.","title":"Genealogy PHP Application Broken Access Control Vulnerability (CVE-2026-39355)","url":"https://feed.craftedsignal.io/briefs/2026-04-genealogy-acl/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-39355","version":"https://jsonfeed.org/version/1.1"}