Data Export Vulnerability in ChurchCRM Open-Source Management System
CVE-2026-58408

6.5MEDIUM

Key Information:

Vendor

Churchcrm

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-58408?

ChurchCRM, an open-source church management system, is vulnerable due to a flaw that allows low-privileged users to bypass the admin export interface and access sensitive member data. The POST /CSVCreateFile.php endpoint generates a CSV file containing full Personally Identifiable Information (PII) for every record in the database, without sufficient authorization checks. This oversight means that any user with basic permissions can exploit the system to exfiltrate sensitive information, a significant concern for data protection. The vulnerability has been addressed in version 7.4.0, reinforcing the need for comprehensive authorization controls to prevent unauthorized data access.

Affected Version(s)

CRM < 7.4.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.