Genealogy App Suffers Critical Access Control Flaw
CVE Notify is sounding the alarm on a critical broken access control vulnerability within the Genealogy family tree PHP application. Identified as CVE-2026-39355, the flaw impacts versions prior to 5.9.1. According to CVE Notify, any authenticated user could exploit this weakness to transfer ownership of non-personal teams to themselves. This grants them unfettered access to all data within the compromised team’s workspace, effectively enabling a complete takeover.
The implications here are significant for anyone using Genealogy for team collaboration or data management. The ability for a standard user to hijack an entire team’s resources means sensitive family history, private research, or collaborative project data could be exposed or manipulated. CVE Notify highlights that this issue has been patched in version 5.9.1, making an immediate upgrade a top priority for all users.
What This Means For You
- Immediately verify and update all instances of the Genealogy PHP application to version 5.9.1 or later to remediate the broken access control vulnerability.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-39355 | Auth Bypass | Software: Genealogy, Version: < 5.9.1, Vulnerable Component: Ownership transfer functionality, Description: Allows any authenticated user to transfer ownership of arbitrary non-personal teams. |
| CVE-2026-39355 | Information Disclosure | Software: Genealogy, Version: < 5.9.1, Vulnerable Component: Ownership transfer functionality, Description: Enables unrestricted access to all genealogy data associated with compromised teams. |