Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
Published: 2026-04-07
Score: n/a
EPSS: n/a
KEV: No
Impact: Data Compromise via SQL Injection
Action: Patch Now
AI Analysis

Impact

An authenticated user holding the ManageGroups role can craft a POST request to MemberRoleChange.php using a malicious NewRole parameter. Because the parameter is inserted into an SQL command without proper integer validation, the attacker can inject arbitrary SQL statements. The resulting vulnerability is a classic SQL injection, identified as CWE‑89, that allows the authenticated user to read, modify, or delete data in the ChurchCRM database, potentially leading to data compromise and loss of integrity.

Affected Systems

ChurchCRM, an open‑source church management solution, is affected in all releases prior to version 7.1.0. The issue resides in the Community Relationship Management (CRM) component, specifically src/MemberRoleChange.php. Administrators using older installations are at risk unless they upgrade to the patched 7.1.0 release.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity, and the lack of an EPSS score means we cannot quantify likelihood from that metric. The vulnerability requires an authenticated session with ManageGroups privileges and knowledge of a valid group ID and person ID, which can be discovered via GroupView or PersonView interfaces. Because these prerequisites are readily available to a regular user who can navigate the system, the risk of exploitation is significant. The vulnerability was addressed in version 7.1.0, which deploys proper integer validation and eliminates the injection path.

Generated by OpenCVE AI on April 7, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to 7.1.0 or later.
  • Limit the ManageGroups role to trusted administrators.
  • Enforce least privilege for all users to reduce the attack surface.
  • Monitor database logs for unexpected queries related to MemberRoleChange.php.

Generated by OpenCVE AI on April 7, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description This CVE is a duplicate of another CVE. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in MemberRoleChange.php
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with ManageGroups role, knowledge of a valid GroupID and PersonID (obtainable from GroupView or PersonView pages) This vulnerability is fixed in 7.1.0. This CVE is a duplicate of another CVE.

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with ManageGroups role, knowledge of a valid GroupID and PersonID (obtainable from GroupView or PersonView pages) This vulnerability is fixed in 7.1.0.
Title SQL Injection in MemberRoleChange.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:51:09.351Z

Reserved: 2026-04-03T20:09:02.826Z

Link: CVE-2026-35567

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-07T16:16:29.747

Modified: 2026-04-09T17:16:26.053

Link: CVE-2026-35567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:10Z

Weaknesses

No weakness.