CVE-2026-58408 in ChurchCRMinfo

Summary

by MITRE • 07/13/2026

ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information (PII) of every Person/Family record in the database, without performing any feature-level or object-level authorization check beyond the coarse "has any admin permission" gate inherited from the legacy page bootstrap. In other words, any single non-admin permission flag is enough to reach the CSV bulk-export endpoint, even though such users should not have data export rights. The export script is missing a dedicated isAdmin() (or a new bExportData) authorization check of its own. This issue has been fixed in version 7.4.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The ChurchCRM vulnerability represents a critical authorization flaw that allows low-privileged users to access and exfiltrate sensitive personally identifiable information from the entire member directory. This weakness exists in versions prior to 7.4.0 where the system fails to implement proper access controls for data export functionality. The vulnerability specifically targets the POST endpoint /CSVCreateFile.php which serves as a bulk export mechanism for member data, exposing a fundamental security gap in the application's permission model.

The technical implementation of this flaw stems from inadequate authorization checks within the CSV export functionality. The system relies on a coarse-grained permission model that only verifies whether a user possesses any administrative privilege rather than implementing fine-grained access controls. This legacy approach inherits insufficient authorization gates from older bootstrap mechanisms, allowing users with minimal administrative permissions to bypass intended security boundaries. The endpoint fails to perform feature-level or object-level authorization checks that would normally restrict data export capabilities to properly authorized administrators only.

The operational impact of this vulnerability is severe and far-reaching for church organizations using affected versions of ChurchCRM. Any user possessing even a single non-administrative permission flag can access and download complete CSV files containing sensitive personal information including full names, addresses, phone numbers, email addresses, family relationships, and other personally identifiable data for every member in the database. This represents a significant privacy breach that could lead to identity theft, spamming, or other malicious activities targeting church members. The exposure affects all organizational data without distinction, making it particularly dangerous for congregations with sensitive membership demographics.

This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks in web applications. The flaw demonstrates poor adherence to the principle of least privilege as defined by cybersecurity best practices and can be mapped to ATT&CK technique T1078 (Valid Accounts) and T1567 (Exfiltration Over Web Service). Organizations should immediately implement the patch available in version 7.4.0 which addresses this issue by introducing proper isAdmin() or bExportData authorization checks. Additional mitigations include reviewing and tightening existing user permission assignments, implementing network-level restrictions on administrative endpoints, and conducting comprehensive security audits of all data export functionalities within the system.

The remediation process requires immediate deployment of ChurchCRM version 7.4.0 or later to address the authorization bypass vulnerability. Organizations should also consider implementing additional monitoring for unusual data export activities, establishing stricter access control policies for administrative functions, and ensuring that all users with elevated permissions undergo regular security reviews. The fix demonstrates proper implementation of authorization controls that verify specific administrative privileges before allowing access to sensitive data export capabilities, thereby protecting the privacy and security of church member information.

Responsible

GitHub M

Reservation

06/30/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!