CVE-2026-42288
ChurchCRM · ChurchCRM
ChurchCRM is vulnerable to pre-authentication remote code execution via an unsanitized database password in the setup wizard.
Executive summary
An incomplete fix for a critical pre-authentication remote code execution vulnerability in ChurchCRM allows unauthenticated attackers to gain full system control.
Vulnerability
This is a pre-authentication remote code execution vulnerability occurring in the setup wizard, caused by improper sanitization of the DB_PASSWORD field; it represents an incomplete fix for CVE-2026-39337.
Business impact
With a CVSS score of 10, this vulnerability is of the highest severity, enabling an unauthenticated attacker to execute arbitrary code on the underlying server. Successful exploitation could lead to total system compromise, including the theft of sensitive congregant data, unauthorized modification of records, and the use of the server as a pivot point for further network attacks.
Remediation
Immediate Action: Upgrade all instances of ChurchCRM to version 7.3.2 or later immediately to resolve the incomplete patch.
Proactive Monitoring: Monitor server logs for suspicious process execution or unauthorized attempts to access the setup wizard or database configuration files.
Compensating Controls: If an immediate update is not possible, restrict access to the web interface to trusted IP addresses using a Web Application Firewall (WAF) or network ACLs.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity of this vulnerability cannot be overstated, as it provides a direct path to remote code execution without requiring authentication. Administrators must treat this as a high-priority remediation task and deploy version 7.3.2 without delay.