CVE-2026-39329: High-Risk SQL Injection in ChurchCRM

What Happened

ChurchCRM, a widely used open-source church management system, has been found vulnerable to a critical security flaw identified as CVE-2026-39329. The flaw is an SQL injection vulnerability present in versions prior to 7.1.0. This security weakness was discovered in the /EventNames.php file, which is involved in the creation and management of event types within the platform. The vulnerability was reported in late 2026, highlighting a significant risk for organizations using affected versions of ChurchCRM to manage church events and records.

This vulnerability is specifically tied to authenticated users who possess AddEvent privileges. These users can exploit the system by manipulating the newEvtTypeCntLst parameter. This type of access can severely disrupt the integrity and confidentiality of the database, allowing attackers to inject malicious SQL commands to read, modify, or delete crucial data.

Technical Details

The SQL injection vulnerability in ChurchCRM, detailed under CVE-2026-39329, arises from inadequate validation of user inputs in the /EventNames.php script. To exploit this, an authenticated user with AddEvent privileges can craft a request that includes SQL syntax within the newEvtTypeCntLst parameter. The crux of the problem lies in the handling of this parameter during the event type creation, where user input is unsafely interpolated into an SQL query without proper escaping.

The exploit takes advantage of this by targeting an ON DUPLICATE KEY UPDATE clause, a common SQL construct for handling unique constraints while inserting data. If exploited, this injection can lead to unauthorized SQL command execution, compromising the database's integrity. This vulnerability has been assigned a CVSS score of 8.8, signifying its high severity due to the potential impact on data management and security.

Indicators of compromise (IOCs) for this vulnerability include unusual database query patterns originating from user sessions with AddEvent privileges, and unexpected modifications to event type records.

Impact

Organizations using ChurchCRM versions prior to 7.1.0 are at risk, especially those that grant broad user privileges or have several users with event management roles. The impact includes unauthorized exfiltration of data or alterations to the database, posing significant risks to data confidentiality and integrity. This vulnerability could lead to the exposure of sensitive information, data corruption, or the complete compromise of the organization's church management system.

The exploitation of this flaw could also lead to broader security incidents if leveraged as a stepping stone for further attacks within the network infrastructure, amplifying the potential damage.

What To Do

• Upgrade: Immediately upgrade ChurchCRM to version 7.1.0 or later to patch this vulnerability.
• Review User Privileges: Reassess and minimize the assignment of AddEvent privileges to reduce the risk of exploitation by authenticated insiders.
• Monitor Logs: Implement logging and monitoring solutions to detect unusual activity, specifically anomalous SQL queries related to event type creation.
• Input Validation: Ensure thorough input validation mechanisms are in place to sanitize user inputs across all application components.
• Database Security: Apply additional database security measures, such as read-write restrictions or employing a web application firewall (WAF) to block malicious payloads.

By taking these steps, organizations can significantly mitigate the risks posed by CVE-2026-39329. Ensure to stay updated with security advisories and follow best practices in application and database security to prevent similar vulnerabilities from being exploited in the future.