Authorization Flaw in ChurchCRM Allows Data Exposure for Low-Privileged Users
CVE-2026-58410
7.1HIGH
What is CVE-2026-58410?
ChurchCRM, an open-source church management system, has a vulnerability that permits low-privileged users to access and alter records belonging to other families. Specifically, prior to version 7.4.0, an authenticated non-admin user with limited access (EditSelf) could manipulate the familyId, enabling them to retrieve and modify records outside their designated family scope. This flaw arises from the backend's failure to verify if the requested family entity corresponds to the actual user. If the user also possesses Notes access, they can even add notes to unrelated family records, undermining the integrity of the EditSelf function. The issue was resolved in version 7.4.0.
Affected Version(s)
CRM < 7.4.0
