CVE-2026-34402: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ChurchCRM CRM
ChurchCRM versions prior to 7. 1. 0 contain a high-severity SQL injection vulnerability in the PropertyAssign. php endpoint. Authenticated users with Edit Records or Manage Groups permissions can exploit this time-based blind SQL injection to access or modify sensitive database content, including user credentials and personal identifiable information. This vulnerability is addressed in version 7. 1. 0.
AI Analysis
Technical Summary
CVE-2026-34402 is a SQL injection vulnerability (CWE-89) in ChurchCRM's PropertyAssign.php endpoint affecting versions before 7.1.0. It allows authenticated users with specific permissions to perform time-based blind SQL injection attacks, potentially exfiltrating or altering any data in the database such as credentials, PII, and configuration secrets. The vulnerability has a CVSS 3.1 score of 8.1, indicating high severity. The issue is fixed in ChurchCRM version 7.1.0.
Potential Impact
Exploitation of this vulnerability can lead to unauthorized disclosure and modification of sensitive data stored in the ChurchCRM database, including user credentials and personal identifiable information. This compromises confidentiality and integrity but does not impact availability. The vulnerability requires authenticated access with specific permissions.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability is fixed. Until the upgrade is applied, restrict Edit Records and Manage Groups permissions to trusted users only. Patch status is confirmed fixed in version 7.1.0.
CVE-2026-34402: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ChurchCRM CRM
Description
ChurchCRM versions prior to 7. 1. 0 contain a high-severity SQL injection vulnerability in the PropertyAssign. php endpoint. Authenticated users with Edit Records or Manage Groups permissions can exploit this time-based blind SQL injection to access or modify sensitive database content, including user credentials and personal identifiable information. This vulnerability is addressed in version 7. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34402 is a SQL injection vulnerability (CWE-89) in ChurchCRM's PropertyAssign.php endpoint affecting versions before 7.1.0. It allows authenticated users with specific permissions to perform time-based blind SQL injection attacks, potentially exfiltrating or altering any data in the database such as credentials, PII, and configuration secrets. The vulnerability has a CVSS 3.1 score of 8.1, indicating high severity. The issue is fixed in ChurchCRM version 7.1.0.
Potential Impact
Exploitation of this vulnerability can lead to unauthorized disclosure and modification of sensitive data stored in the ChurchCRM database, including user credentials and personal identifiable information. This compromises confidentiality and integrity but does not impact availability. The vulnerability requires authenticated access with specific permissions.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability is fixed. Until the upgrade is applied, restrict Edit Records and Manage Groups permissions to trusted users only. Patch status is confirmed fixed in version 7.1.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:45:29.620Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3dfad0a160ebd92c7095c
Added to database: 4/6/2026, 4:30:37 PM
Last enriched: 4/6/2026, 4:45:25 PM
Last updated: 4/6/2026, 5:48:56 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.