CVE-2026-39355 CRITICAL

CVE-2026-39355: Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)

Vendor Mgeurts

Product genealogy

Weakness CWE-862 · Missing authorization

Published April 7, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39355

Related vulnerabilities

04Related CVE

CVE-2023-51670 WordPress FunnelKit Checkout plugin <= 3.10.3 - Authenticated Arbitrary Plugin Activation vulnerability CVE-2024-54222 WordPress Seraphinite Accelerator plugin <= 2.22.15 - Authenticated Sensitive Data Exposure vulnerability CVE-2023-39920 WordPress Redirection for Contact Form 7 plugin <= 2.9.2 - Broken Access Control vulnerability CVE-2024-12028 Friends <= 3.2.1 - Missing Authorization CVE-2024-8682 JNews - WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 - Unauthorized User Registration