Role-Based Access Control Flaw in ChurchCRM by ChurchCRM
CVE-2026-39331

8.1HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39331?

ChurchCRM, an open-source church management system, has a vulnerability that allows an authenticated API user to alter family record states without proper authorization. By merely adjusting the {familyId} parameter in API requests, users can manipulate family records through endpoints such as /family/{familyId}/verify and /family/{familyId}/activate/{status}, among others. This vulnerability exists due to inadequate role-based access control mechanisms, permitting unauthorized users to deactivate/reactivate family records, generate spam verification emails, and mark families as verified. The issue has been resolved in version 7.1.0.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39331 Data

JSON

Churchcrm

What is CVE-2026-39331?

Affected Version(s)

References

CVSS V3.1

Timeline