Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-58410: CWE-639: Authorization Bypass Through User-Controlled Key in ChurchCRM CRM

0
High
VulnerabilityCVE-2026-58410cvecve-2026-58410cwe-639cwe-862
Published: 07/13/2026 (07/13/2026, 20:26:17 UTC)
Source: CVE Database V5
Vendor/Project: ChurchCRM
Product: CRM

Description

ChurchCRM versions prior to 7.4.0 contain an authorization bypass vulnerability in family-scoped endpoints. Authenticated non-admin users with EditSelf access could supply another family's familyId to read and modify records outside their own family scope. If the user also had Notes permission, they could create notes on unrelated family records. This flaw arises because the backend trusts the user-controlled familyId without verifying ownership. The issue was fixed in version 7.4.0.

CVSS v3.1

Score 7.1high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Affected software

GitHub Actionsmore threats →ai
churchcrm/CRM
pkg:github/churchcrm/CRM
Affected versions
<7.4.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 21:02:30 UTC

Technical Analysis

CVE-2026-58410 is an authorization bypass vulnerability in ChurchCRM's family-scoped endpoints affecting versions before 7.4.0. The backend fails to verify that the requested familyId belongs to the authenticated user, allowing low-privileged users with EditSelf access to read and modify other families' records. Additionally, users with Notes permission could create notes on other families' records. This breaks the intended access control scope and exposes sensitive congregation data. The vulnerability has been addressed in ChurchCRM version 7.4.0.

Potential Impact

An authenticated non-admin user with EditSelf access can access and modify records of other families, violating data confidentiality and integrity. If the user also has Notes permission, they can add notes to unrelated family records. This leads to unauthorized disclosure and partial modification of sensitive congregation information. There is no indication of availability impact. No known exploits in the wild have been reported.

Mitigation Recommendations

Upgrade ChurchCRM to version 7.4.0 or later, where this authorization flaw has been fixed. Since this is an on-premises product, administrators must apply the official update to remediate the vulnerability. Patch status is not explicitly stated but the vendor fixed the issue in 7.4.0, so updating to that version or newer is required.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-06-30T18:19:58.380Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a554f1668715ace43d4d2e4

Added to database: 07/13/2026, 20:48:22 UTC

Last enriched: 07/13/2026, 21:02:30 UTC

Last updated: 07/13/2026, 23:09:14 UTC

Views: 8

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses