CVE-2026-40581: CWE-352: Cross-Site Request Forgery (CSRF) in ChurchCRM CRM
ChurchCRM versions prior to 7. 2. 0 contain a Cross-Site Request Forgery (CSRF) vulnerability in the family record deletion endpoint (SelectDelete. php). This endpoint allows permanent deletion of family records and all associated data via a GET request without CSRF token validation. An attacker can exploit this by tricking an authenticated administrator into visiting a malicious page that triggers deletion without any user interaction. The issue has been fixed in version 7. 2. 0.
AI Analysis
Technical Summary
The vulnerability in ChurchCRM CRM (CVE-2026-40581) is a CSRF issue affecting versions before 7.2.0. The family record deletion endpoint accepts a plain GET request to irreversibly delete family records and related data without validating a CSRF token. This allows an attacker to craft a malicious webpage that, when visited by an authenticated admin user, causes silent deletion of targeted data including notes, pledges, persons, and property data. The vulnerability is classified under CWE-352 (CSRF) and CWE-862 (missing authorization). It has a CVSS 3.1 score of 8.1 (high severity). The vulnerability was fixed in ChurchCRM version 7.2.0.
Potential Impact
Successful exploitation results in permanent, irreversible deletion of family records and all associated data in ChurchCRM, impacting data integrity and availability. The attack requires an authenticated administrator to visit a malicious page, which then triggers the deletion without user interaction. There is no confidentiality impact reported. This can cause significant data loss for organizations using affected versions.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this CSRF vulnerability has been fixed. Until upgrading, restrict access to the deletion endpoint and avoid visiting untrusted web pages while authenticated as an administrator. Patch status is not explicitly stated but the vendor fixed the issue in version 7.2.0, so applying this official fix is the recommended remediation.
CVE-2026-40581: CWE-352: Cross-Site Request Forgery (CSRF) in ChurchCRM CRM
Description
ChurchCRM versions prior to 7. 2. 0 contain a Cross-Site Request Forgery (CSRF) vulnerability in the family record deletion endpoint (SelectDelete. php). This endpoint allows permanent deletion of family records and all associated data via a GET request without CSRF token validation. An attacker can exploit this by tricking an authenticated administrator into visiting a malicious page that triggers deletion without any user interaction. The issue has been fixed in version 7. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ChurchCRM CRM (CVE-2026-40581) is a CSRF issue affecting versions before 7.2.0. The family record deletion endpoint accepts a plain GET request to irreversibly delete family records and related data without validating a CSRF token. This allows an attacker to craft a malicious webpage that, when visited by an authenticated admin user, causes silent deletion of targeted data including notes, pledges, persons, and property data. The vulnerability is classified under CWE-352 (CSRF) and CWE-862 (missing authorization). It has a CVSS 3.1 score of 8.1 (high severity). The vulnerability was fixed in ChurchCRM version 7.2.0.
Potential Impact
Successful exploitation results in permanent, irreversible deletion of family records and all associated data in ChurchCRM, impacting data integrity and availability. The attack requires an authenticated administrator to visit a malicious page, which then triggers the deletion without user interaction. There is no confidentiality impact reported. This can cause significant data loss for organizations using affected versions.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this CSRF vulnerability has been fixed. Until upgrading, restrict access to the deletion endpoint and avoid visiting untrusted web pages while authenticated as an administrator. Patch status is not explicitly stated but the vendor fixed the issue in version 7.2.0, so applying this official fix is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-14T13:24:29.475Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e389f6bdfbbecc5976522a
Added to database: 4/18/2026, 1:41:10 PM
Last enriched: 4/18/2026, 1:41:18 PM
Last updated: 4/18/2026, 3:05:03 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.