Church Team Management Software Exposes Race Condition Exploit Allowing Non-Member Limit Bypass

A critical vulnerability in church sports team management infrastructure allows organization representatives to circumvent established non-member participation limits through a timing-based exploit. The flaw targets the synchronization gap between pastoral approval workflows and backend data synchronization, enabling what researchers describe as a "status flip" manipulation. Church staff with administrative access can exploit the window between approval and system sync to retroactively change participant membership status, effectively resetting the non-member counter and bypassing the standard two-non-member-per-team restriction.

The exploit operates through a five-step sequence that leverages the system's reliance on live ChMeetings data during daily synchronization cycles. A representative first submits a non-member participant with an explicit non-church-member flag. Upon pastoral approval—which consumes one of the team's limited non-member slots—the representative then modifies the participant's status to indicate church membership directly within ChMeetings. When submitting subsequent non-member participants, the system appears to reset its counter because the approval history reads only the current database state, not the original claimed status at the time of approval. This allows unlimited stacking of non-church-member athletes under the guise of legitimate roster management.

The proposed mitigation involves introducing a new database field, `nonmember_claim_at_approval`, designed to capture and freeze each participant's membership status at the precise moment of pastoral approval. By propagating this timestamped claim bidirectionally, the system would maintain an immutable record of what status was active when approval was granted, preventing retrospective alterations from affecting compliance calculations. Security researchers note that the vulnerability stems from the system validating against current live values rather than audited approval-time assertions, creating a temporal blind spot exploitable by any user with both submission and status-modification privileges.