SQL Injection Vulnerability in ChurchCRM Open-Source Management System
CVE-2026-34402

8.1HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34402?

ChurchCRM, an open-source church management system, is affected by a time-based blind SQL injection vulnerability. Authenticated users with Edit Records or Manage Groups permissions can exploit this flaw in the PropertyAssign.php endpoint. This exploitation can lead to unauthorized access, allowing attackers to exfiltrate or modify database content, including sensitive user credentials and personal identifiable information (PII). The vulnerability has been addressed in version 7.1.0, emphasizing the necessity for users to update to the latest version to safeguard their data.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34402 Data

JSON

Churchcrm

What is CVE-2026-34402?

Affected Version(s)

References

CVSS V3.1

Timeline