CVE-2026-39355

Name of the Vulnerable Software and Affected Versions Genealogy versions prior to 5.9.1

Description The Genealogy PHP application contains a broken access control issue. An authenticated user can transfer ownership of any non-personal team to themselves, leading to complete takeover of other users’ team workspaces and unrestricted access to associated genealogy data. The vulnerable function is TeamController::transferOwnership(), which lacks proper authorization checks. This is triggered by a single POST request.

Recommendations Update to version 5.9.1 or later.