CVE-2026-58410

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another family’s `familyId` and access records outside their own family scope. The backend trusts the attacker-controlled `familyId` and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family’s record. This breaks the intended EditSelf scope and allows access to unrelated congregation records. This issue has been fixed in version 7.4.0.
Configurations

No configuration.

History

14 Jul 2026, 14:16

Type Values Removed Values Added
References () https://github.com/ChurchCRM/CRM/security/advisories/GHSA-jjcj-h3cm-p7x7 - () https://github.com/ChurchCRM/CRM/security/advisories/GHSA-jjcj-h3cm-p7x7 -

13 Jul 2026, 21:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-13 21:16

Updated : 2026-07-14 16:42


NVD link : CVE-2026-58410

Mitre link : CVE-2026-58410

CVE.ORG link : CVE-2026-58410


JSON object : View

Products Affected

No product.

CWE
CWE-639

Authorization Bypass Through User-Controlled Key

CWE-862

Missing Authorization