CVE-2026-39331

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description An authenticated API user can modify any family record's state without proper authorization by changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege. The following API endpoints lack role-based access control: '/family/{familyId}/verify', '/family/{familyId}/verify/url', '/family/{familyId}/verify/now', '/family/{familyId}/activate/{status}', and '/family/{familyId}/geocode. This allows users to deactivate or reactivate arbitrary families, send spam verification emails, and mark families as verified, triggering geocoding.

Recommendations Update to version 7.1.0 or later.

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-863

Related Identifiers

CVE-2026-39331

Affected Products

Churchcrm

CVE-2026-39331

Weakness Enumeration

Related Identifiers

Affected Products

References · 3