Data Export Vulnerability in ChurchCRM Open-Source Management System
CVE-2026-58408
6.5MEDIUM
What is CVE-2026-58408?
ChurchCRM, an open-source church management system, is vulnerable due to a flaw that allows low-privileged users to bypass the admin export interface and access sensitive member data. The POST /CSVCreateFile.php endpoint generates a CSV file containing full Personally Identifiable Information (PII) for every record in the database, without sufficient authorization checks. This oversight means that any user with basic permissions can exploit the system to exfiltrate sensitive information, a significant concern for data protection. The vulnerability has been addressed in version 7.4.0, reinforcing the need for comprehensive authorization controls to prevent unauthorized data access.
Affected Version(s)
CRM < 7.4.0
