External risk intelligence

ChurchCRM allows attackers to take control of your system

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-44547

A previous fix for ChurchCRM was incomplete and unintentionally removed, leaving versions 7.2.0-7.2.2 vulnerable to exploitation. This issue allows unauthorized access to sensitive data and system functions.

4Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-44547

The vulnerability affects a public-facing API endpoint within a web-based management system. This endpoint is designed for external interaction, making it commonly reachable from the internet in typical deployments where the application's public-facing functions are utilized.

Horizon Alert

Summary of the vulnerability and why it matters

An incomplete fix for a previous vulnerability exists in ChurchCRM, a church management system. This means an issue that was thought to be resolved can still be exploited through existing proof-of-concept details. This requires attention because it re-exposes the system to the previously addressed security risk.

Can lead to data compromise.
Affects users with limited access.
The fix was unintentionally removed.

Attack Path

How an attacker could exploit the issue

An attacker with low privilege can exploit this vulnerability by targeting the public user API endpoint. The flaw allows an authenticated user to bypass authorization checks and gain unauthorized administrative access to sensitive church data and system functions. This can be achieved by sending a crafted request to the vulnerable API.

Low-privilege user access required.
Targets public user API endpoint.
Incomplete fix for prior vulnerability.

Live Threat

Current exploitation, exposure, and threat context

The fix for this vulnerability in ChurchCRM versions 7.2.0 through 7.2.2 was reverted, leaving the application susceptible to exploitation by a previously published Proof of Concept. This situation suggests a high likelihood of weaponization as the vulnerability remains present in released software.

Exploitable in released versions.
Public PoC exists.
Affects public API.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate action on ChurchCRM versions 7.2.0 through 7.2.2, as the fix for a critical vulnerability was incomplete and remains exploitable. Teams should focus on upgrading to the patched version or implementing containment measures to prevent exploitation.

Upgrade to ChurchCRM 7.3.1.
If patching is delayed, restrict access to the affected API.
Monitor for indicators of compromise.

Frequently asked questions

What is ChurchCRM and what is its purpose in managing church operations?

ChurchCRM is an open-source church management system designed to help religious organizations manage various aspects of their operations. This includes handling member information, donations, events, and other administrative tasks. The system aims to streamline these processes for church staff and volunteers.

What is the specific weakness in ChurchCRM versions 7.2.0 to 7.2.2?

The weakness lies in an incomplete fix for a previous vulnerability (CVE-2026-4058). A hardening commit intended to fix the issue was unintentionally removed from the codebase before any 7.2.x tag was created. This means that all shipped 7.2.x releases remain susceptible to exploitation using a publicly available Proof of Concept.

How can an attacker exploit this vulnerability in ChurchCRM?

An attacker with low privileges can exploit this by targeting the public user API endpoint (src/api/routes/public/public-user.php). By sending a specially crafted request to this endpoint, an authenticated user can bypass authorization controls and gain unauthorized access to sensitive data and system functions, effectively taking control of the system.

What is the relevance of this incomplete fix for ChurchCRM users?

The relevance is high because the vulnerability, previously thought to be fixed, is still present and exploitable in released versions of ChurchCRM (7.2.0-7.2.2). The existence of a public Proof of Concept increases the likelihood of active exploitation, potentially leading to data breaches and system compromise for affected organizations. Halo classifies this as 'Likely' to be exploited because it affects a public-facing API.

What practical steps should be taken to address the ChurchCRM vulnerability?

Immediate action is required for ChurchCRM versions 7.2.0 through 7.2.2. The primary recommendation is to upgrade to the patched version, ChurchCRM 7.3.1. If an immediate upgrade is not feasible, consider implementing containment measures by restricting access to the affected public API endpoint. Continuous monitoring for any signs of compromise is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.