External risk intelligence

ChurchCRM could allow an external attacker to take control of the server.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-42288

By targeting the setup wizard in ChurchCRM, an external attacker can gain complete control over the host server. This allows the attacker to steal sensitive member data or maintain unauthorized, long-term access to the organization's infrastructure.

2Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42288

The vulnerability resides in the application setup wizard, a component designed for initial configuration rather than ongoing operation. Best practice dictates that this page should be disabled or restricted after installation. While it can be reached if exposed by a misconfiguration, public internet accessibility is not an intended or common feature for this specific interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in ChurchCRM allows for remote code execution through an incomplete fix for a previous issue. If exploited, an attacker could gain full control of the application.

  • Affects ChurchCRM software.
  • Exploitable without authentication.
  • Can lead to full system compromise.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability in ChurchCRM versions prior to 7.3.2 by sending a specially crafted request to the setup wizard. This allows them to execute arbitrary code on the server, potentially leading to a full compromise of the application and its underlying infrastructure. The flaw lies in an incomplete fix for a previous vulnerability related to unsanitized password input during the initial setup.

  • Unauthenticated access required.
  • Targets setup wizard.
  • Pre-authentication RCE possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, a pre-authentication RCE in ChurchCRM's setup wizard, is unlikely to be widely weaponized because the setup wizard should ideally be inaccessible after initial installation. Attackers generally prefer vulnerabilities in components that are persistently exposed and utilized.

  • Setup wizard is typically temporary.
  • Exploit requires direct access to setup.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize the ChurchCRM setup wizard for immediate review and mitigation, as pre-authentication RCE remains exploitable. Teams should focus on disabling or restricting access to this setup wizard and verifying its removal from accessible network interfaces.

  • Restrict access to setup wizard.
  • Monitor for unauthorized setup wizard access.
  • Upgrade to version 7.3.2 when possible.

Frequently asked questions

What is ChurchCRM and what is it used for?

ChurchCRM is an open-source software designed for managing church-related data and operations. It helps organizations keep track of members, donations, and other administrative tasks.

What type of weakness does CVE-2026-42288 represent in ChurchCRM?

CVE-2026-42288 is a pre-authentication remote code execution vulnerability. This means an attacker could potentially run their own code on the server without needing to log in, by exploiting a flaw in how the setup wizard handles a database password.

How could an attacker exploit this ChurchCRM vulnerability?

An attacker could exploit this by accessing the ChurchCRM setup wizard and sending a specially crafted request that includes an unsanitized database password. This could allow them to execute arbitrary code on the server before any authentication occurs.

Who should be concerned about this ChurchCRM vulnerability?

Organizations using ChurchCRM versions prior to 7.3.2 should be concerned. While the Halo Surface Signal indicates this vulnerability is unlikely to be widely exploited because the setup wizard is usually temporary, any instance where the setup wizard is still accessible, especially from the internet, presents a risk.

What is the first step to address the ChurchCRM vulnerability?

The immediate first step is to secure the ChurchCRM setup wizard. Ensure it is disabled or access to it is strictly restricted, particularly from external networks. Upgrading to version 7.3.2 is also a key remediation step when possible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified