Description
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
Published: 2026-04-07
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation: Team Hijack
Action: Immediate Patch
AI Analysis

Impact

Genealogy, a family tree PHP application, contains a critical broken access control flaw in the TeamController::transferOwnership method that allows any authenticated user to transfer ownership of non-personal teams to themselves. This flaw permits a user to take over another user’s team workspace and gain unrestricted access to all genealogy data tied to the compromised team. The vulnerability is classified as CWE-862 (Broken Access Control).

Affected Systems

The vulnerability affects the MGeurts Genealogy application prior to version 5.9.1. Any authenticated user who can access the application can exploit the flaw, regardless of their role or the team’s ownership status.

Risk and Exploitability

The CVSS score of 10 indicates that an attacker could fully compromise a team’s data and functionality. The EPSS score of less than 1% suggests that while the vulnerability is severe, current evidence of exploitation is low, possibly due to a narrow window before the patch. It is not currently listed in CISA’s KEV catalog. The likely attack vector is an authenticated web request to the transferOwnership endpoint; therefore, any legitimate user with a valid session can trigger the exploit if no additional safeguards are in place.

Generated by OpenCVE AI on April 10, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Genealogy to version 5.9.1 or later.

Generated by OpenCVE AI on April 10, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Kreaweb
Kreaweb genealogy
CPEs cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*
Vendors & Products Kreaweb
Kreaweb genealogy

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mgeurts
Mgeurts genealogy
Vendors & Products Mgeurts
Mgeurts genealogy

Wed, 08 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
Title Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Kreaweb Genealogy
Mgeurts Genealogy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:10:34.141Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39355

cve-icon Vulnrichment

Updated: 2026-04-08T18:10:24.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T19:16:46.523

Modified: 2026-04-10T19:03:43.350

Link: CVE-2026-39355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:20Z

Weaknesses