A critical access control vulnerability in Genealogy permits authenticated users to perform unauthorized team ownership takeovers.

The application fails to properly validate permissions when transferring team ownership. This allows any authenticated user to escalate their privileges by claiming ownership of teams they do not manage.

This vulnerability presents a significant risk of data exfiltration and unauthorized administrative control over team workspaces. With a CVSS score of 9.9, the impact on organizational data privacy is extreme, as attackers can gain access to all data associated with compromised teams.

Immediate Action: Update the Genealogy application to version 5.9.1 or later to remediate the access control logic.

Proactive Monitoring: Audit ownership change logs to identify any unauthorized transfers of team workspaces that occurred prior to patching.

Compensating Controls: Restrict access to the application to trusted internal networks and implement strict session monitoring for unusual account activity.

Public Exploit Available: No

The ability for a standard user to seize control of arbitrary workspaces is a critical security failure. Organizations should prioritize updating to version 5.9.1 to ensure that authorization checks are correctly enforced across all team management functions.