Authorization Flaw in ChurchCRM Allows Data Exposure for Low-Privileged Users
CVE-2026-58410

7.1HIGH

Key Information:

Vendor

Churchcrm

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-58410?

ChurchCRM, an open-source church management system, has a vulnerability that permits low-privileged users to access and alter records belonging to other families. Specifically, prior to version 7.4.0, an authenticated non-admin user with limited access (EditSelf) could manipulate the familyId, enabling them to retrieve and modify records outside their designated family scope. This flaw arises from the backend's failure to verify if the requested family entity corresponds to the actual user. If the user also possesses Notes access, they can even add notes to unrelated family records, undermining the integrity of the EditSelf function. The issue was resolved in version 7.4.0.

Affected Version(s)

CRM < 7.4.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.