External risk intelligence

ChurchCRM can be taken over by attackers due to a dangerous file upload flaw.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40484

An external attacker can trick an administrator into compromising ChurchCRM, allowing full control over the server and unauthorized access to sensitive member data. This flaw permits the execution of malicious commands that could completely subvert the application’s hosting environment.

3Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-40484

ChurchCRM is a specialized management application. While it functions as a web-based service and is plausibly reachable from the internet in cloud-hosted or remote-access deployments, such systems are typically intended for administrative use and are often restricted by access controls rather than being widely exposed public-facing web services.

Horizon Alert

Summary of the vulnerability and why it matters

An administrator in ChurchCRM can upload a malicious backup file to execute arbitrary code. This occurs because the system improperly handles archive contents during the restore process, allowing a PHP webshell to be placed in a publicly accessible location and run. The lack of cross-site request forgery protection further increases the risk.

Allows remote code execution.
Affects authenticated administrators.
Can be exploited via the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by crafting a backup archive containing a PHP webshell within the `Images/` directory, then tricking an authenticated administrator into restoring it. The application will then copy the webshell to the web-accessible document root, allowing the attacker to execute code as the web server user via a simple HTTP request.

Authenticated administrator needed.
Restore functionality is the target.
No CSRF validation.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely find this vulnerability appealing due to its critical severity and ability to achieve remote code execution. The combination of unrestricted file uploads within an archive and a lack of CSRF protection presents a straightforward path for attackers to compromise the system. However, its reliance on authenticated administrator access may limit its widespread applicability compared to vulnerabilities exploitable by unauthenticated users.

Exploited by authenticated admin.
Remote code execution possible.
CSRF vector increases risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching ChurchCRM instances to version 7.2.0 to address the critical remote code execution vulnerability. If immediate patching is not feasible, isolate affected systems from the network or restrict administrative access to prevent exploitation via the backup restore functionality and cross-site request forgery. Monitor for any signs of unauthorized access or unusual file creation within the web root.

Patch to version 7.2.0.
Isolate affected instances.
Monitor for webshells.

Frequently asked questions

What is ChurchCRM and its purpose?

ChurchCRM is an open-source software application designed to assist religious organizations with managing their operations and member information. It helps streamline administrative tasks and track various church activities.

What is the core vulnerability in ChurchCRM (CVE-2026-40484)?

The vulnerability, identified as CWE-269 (Improper Access Control) and CWE-434 (OSFI: Upload of File with Dangerous Type), allows an authenticated administrator to upload a malicious file disguised as a database backup. This file is then placed in a publicly accessible web directory, leading to remote code execution.

How can an attacker exploit the ChurchCRM flaw?

An attacker can create a crafted backup archive containing a PHP webshell within the Images/ directory. When an authenticated administrator restores this archive, the system copies the webshell to a web-accessible path, allowing the attacker to execute arbitrary code via HTTP requests.

What is the risk associated with this ChurchCRM vulnerability?

This vulnerability poses a critical risk due to the potential for remote code execution. The combination of a dangerous file upload functionality and the lack of cross-site request forgery (CSRF) protection makes it an attractive target for attackers seeking to compromise the web server.

What is the recommended action for ChurchCRM security?

The recommended action is to update ChurchCRM to version 7.2.0 or later to fix the vulnerability. If immediate patching is not possible, consider isolating affected systems or restricting administrative access, and monitor for any suspicious activity or unauthorized file creations in the web root.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.