CVE-2026-58410: CWE-639: Authorization Bypass Through User-Controlled Key in ChurchCRM CRM
ChurchCRM versions prior to 7.4.0 contain an authorization bypass vulnerability in family-scoped endpoints. Authenticated non-admin users with EditSelf access could supply another family's familyId to read and modify records outside their own family scope. If the user also had Notes permission, they could create notes on unrelated family records. This flaw arises because the backend trusts the user-controlled familyId without verifying ownership. The issue was fixed in version 7.4.0.
AI Analysis
Technical Summary
CVE-2026-58410 is an authorization bypass vulnerability in ChurchCRM's family-scoped endpoints affecting versions before 7.4.0. The backend fails to verify that the requested familyId belongs to the authenticated user, allowing low-privileged users with EditSelf access to read and modify other families' records. Additionally, users with Notes permission could create notes on other families' records. This breaks the intended access control scope and exposes sensitive congregation data. The vulnerability has been addressed in ChurchCRM version 7.4.0.
Potential Impact
An authenticated non-admin user with EditSelf access can access and modify records of other families, violating data confidentiality and integrity. If the user also has Notes permission, they can add notes to unrelated family records. This leads to unauthorized disclosure and partial modification of sensitive congregation information. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.4.0 or later, where this authorization flaw has been fixed. Since this is an on-premises product, administrators must apply the official update to remediate the vulnerability. Patch status is not explicitly stated but the vendor fixed the issue in 7.4.0, so updating to that version or newer is required.
CVE-2026-58410: CWE-639: Authorization Bypass Through User-Controlled Key in ChurchCRM CRM
Description
ChurchCRM versions prior to 7.4.0 contain an authorization bypass vulnerability in family-scoped endpoints. Authenticated non-admin users with EditSelf access could supply another family's familyId to read and modify records outside their own family scope. If the user also had Notes permission, they could create notes on unrelated family records. This flaw arises because the backend trusts the user-controlled familyId without verifying ownership. The issue was fixed in version 7.4.0.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58410 is an authorization bypass vulnerability in ChurchCRM's family-scoped endpoints affecting versions before 7.4.0. The backend fails to verify that the requested familyId belongs to the authenticated user, allowing low-privileged users with EditSelf access to read and modify other families' records. Additionally, users with Notes permission could create notes on other families' records. This breaks the intended access control scope and exposes sensitive congregation data. The vulnerability has been addressed in ChurchCRM version 7.4.0.
Potential Impact
An authenticated non-admin user with EditSelf access can access and modify records of other families, violating data confidentiality and integrity. If the user also has Notes permission, they can add notes to unrelated family records. This leads to unauthorized disclosure and partial modification of sensitive congregation information. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.4.0 or later, where this authorization flaw has been fixed. Since this is an on-premises product, administrators must apply the official update to remediate the vulnerability. Patch status is not explicitly stated but the vendor fixed the issue in 7.4.0, so updating to that version or newer is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-30T18:19:58.380Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a554f1668715ace43d4d2e4
Added to database: 07/13/2026, 20:48:22 UTC
Last enriched: 07/13/2026, 21:02:30 UTC
Last updated: 07/13/2026, 23:09:14 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.