CVE-2026-42289

ChurchCRM · CRM

ChurchCRM before 7.3.2 is susceptible to multiple vulnerabilities including improper privilege management, missing authentication for critical functions, and CSRF, potentially leading to system compromise.

Executive summary

Multiple security flaws in ChurchCRM, including missing authentication and privilege management issues, allow remote attackers to compromise the application integrity and confidentiality.

Vulnerability

The application suffers from a combination of missing authentication for critical functions (CWE-306), improper privilege management (CWE-269), and Cross-Site Request Forgery (CWE-352). These flaws allow unauthenticated or low-privileged attackers to perform sensitive actions.

Business impact

The combined impact of these vulnerabilities is severe, with a CVSS score of 8.8. An attacker could gain unauthorized administrative access, modify sensitive church management data, or perform unauthorized actions, leading to significant reputational damage and loss of trust.

Remediation

Immediate Action: Upgrade ChurchCRM to version 7.3.2 or later immediately to address these security gaps.

Proactive Monitoring: Review application logs for unauthorized administrative actions or suspicious requests that could indicate exploitation attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) to mitigate potential CSRF attacks and block suspicious traffic patterns targeting administrative endpoints.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

ChurchCRM users should treat this advisory with high urgency and perform the recommended upgrade to version 7.3.2. Because the vulnerability includes missing authentication for critical functions, the application is at high risk of unauthorized manipulation by remote parties.