PatchSiren cyber security CVE debrief
CVE-2026-58410 ChurchCRM CVE debrief
CVE-2026-58410 is an authorization flaw in ChurchCRM, an open-source church management system. Prior to version 7.4.0, low-privileged users with EditSelf access can read and modify other families' records by supplying another family's familyId. The backend trusts the attacker-controlled familyId and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family's record. This breaks the intended EditSelf scope and allows access to unrelated congregation records.
- Vendor
- ChurchCRM
- Product
- CRM
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of ChurchCRM versions prior to 7.4.0 should be aware of this authorization flaw and take steps to mitigate it. This includes upgrading to version 7.4.0 or later and reviewing access controls for low-privileged users. Operators, platform administrators, vulnerability management teams, and security teams should prioritize this issue due to its potential impact on data confidentiality and integrity.
Technical summary
The ChurchCRM system has an authorization flaw in family-scoped endpoints. Low-privileged users with EditSelf access can read and modify other families' records by supplying another family's familyId. The system fails to verify that the requested family belongs to the current user, allowing unauthorized access. This issue allows attackers to access records outside their own family scope, potentially leading to unauthorized data exposure.
Defensive priority
High
Recommended defensive actions
- Upgrade ChurchCRM to version 7.4.0 or later
- Review and restrict access controls for low-privileged users
- Monitor for suspicious activity on family records
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T21:16:48.573Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Evidence is limited to CVE and NVD details. Defenders should verify ChurchCRM version and upgrade status.
Official resources
-
CVE-2026-58410 CVE record
CVE.org
-
CVE-2026-58410 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T21:16:48.573Z and has not been modified since then.