Executive Summary:
A high-severity vulnerability has been identified in multiple ChurchCRM products, a widely used open-source church management system. This flaw, tracked as CVE-2026-24854, could allow a remote, unauthenticated attacker to compromise the application, potentially leading to a complete loss of data confidentiality, integrity, and availability. Immediate patching is required to prevent unauthorized access to sensitive member information and financial data.

Vulnerability Details

CVE-ID: CVE-2026-24854

Affected Software: ChurchCRM Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability is an unauthenticated SQL injection flaw within the application's public-facing API endpoints. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request containing malicious SQL queries to a vulnerable endpoint. Successful exploitation allows the attacker to bypass authentication, execute arbitrary code on the database server, and potentially gain full administrative control over the underlying server operating system.

Business Impact

This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. Successful exploitation could lead to the complete compromise of the ChurchCRM system. The potential consequences include unauthorized access to and exfiltration of sensitive Personally Identifiable Information (PII) of church members, disclosure of confidential financial and donation records, and reputational damage. An attacker could also deface the application or use the compromised server as a pivot point for further attacks against the internal network.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. System administrators should prioritize the deployment of these patches across all affected ChurchCRM instances. Following the update, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring on the systems running ChurchCRM. Security teams should look for suspicious activity in web server logs, such as unusual URL requests containing SQL keywords (e.g., UNION, SELECT, SLEEP). Monitor for unexpected outbound network connections from the server and any unauthorized changes to files within the web application's directory.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks.
• Restrict access to the ChurchCRM application and its administrative interfaces to trusted IP addresses only.
• Ensure the database user account used by the application adheres to the principle of least privilege and cannot execute system-level commands.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of the publication date of February 1, 2026, there is no known public proof-of-concept exploit code, and there are no reports of this vulnerability being actively exploited in the wild. However, given the high severity and relative ease of exploitation for this type of flaw, it is highly probable that threat actors will develop and begin using exploits in the near future.

Analyst Recommendation

Due to the high CVSS score of 8.8 and the critical nature of the data managed by ChurchCRM, this vulnerability requires immediate attention. Organizations must prioritize applying the vendor-supplied patches to all affected systems without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion and a high-value target for attackers. If patching is delayed, the compensating controls listed above should be implemented as an urgent temporary measure.