PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58410 ChurchCRM CVE debrief

CVE-2026-58410 is an authorization flaw in ChurchCRM, an open-source church management system. Prior to version 7.4.0, low-privileged users with EditSelf access can read and modify other families' records by supplying another family's familyId. The backend trusts the attacker-controlled familyId and loads the corresponding family entity by ID without verifying that the requested family belongs to the current user. If the same user also has Notes permission, they can create notes on another family's record. This breaks the intended EditSelf scope and allows access to unrelated congregation records.

Vendor
ChurchCRM
Product
CRM
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of ChurchCRM versions prior to 7.4.0 should be aware of this authorization flaw and take steps to mitigate it. This includes upgrading to version 7.4.0 or later and reviewing access controls for low-privileged users. Operators, platform administrators, vulnerability management teams, and security teams should prioritize this issue due to its potential impact on data confidentiality and integrity.

Technical summary

The ChurchCRM system has an authorization flaw in family-scoped endpoints. Low-privileged users with EditSelf access can read and modify other families' records by supplying another family's familyId. The system fails to verify that the requested family belongs to the current user, allowing unauthorized access. This issue allows attackers to access records outside their own family scope, potentially leading to unauthorized data exposure.

Defensive priority

High

Recommended defensive actions

  • Upgrade ChurchCRM to version 7.4.0 or later
  • Review and restrict access controls for low-privileged users
  • Monitor for suspicious activity on family records
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-13T21:16:48.573Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Evidence is limited to CVE and NVD details. Defenders should verify ChurchCRM version and upgrade status.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T21:16:48.573Z and has not been modified since then.