CVE-2026-44547

ChurchCRM · ChurchCRM

ChurchCRM versions 7.2.0 to 7.2.2 contain an incomplete authentication fix, leaving the application vulnerable to unauthorized access due to a missing critical security check.

Executive summary

An incomplete authentication patch in ChurchCRM 7.2.x allows unauthenticated attackers to bypass security controls and gain unauthorized access to the application.

Vulnerability

The vulnerability stems from a missing critical authentication step that was inadvertently removed from the codebase during a merge process. This allows unauthenticated users to bypass security measures and interact with sensitive API functions.

Business impact

With a CVSS score of 9.6, this flaw represents a major security risk, potentially allowing unauthorized access to sensitive member databases and administrative functions. Successful exploitation could lead to data breaches, unauthorized data modification, and complete loss of application integrity.

Remediation

Immediate Action: Upgrade to ChurchCRM version 7.3.1 or later to ensure the authentication hardening is properly implemented.

Proactive Monitoring: Review application access logs for suspicious API requests originating from unauthorized or unknown IP addresses.

Compensating Controls: Implement strict network-level access controls (VPN or IP allowlisting) to restrict access to the CRM interface until the software is updated.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Administrators should move immediately to update ChurchCRM to version 7.3.1. The presence of a public exploit significantly increases the risk of successful exploitation, making prompt remediation essential to preventing unauthorized access to sensitive organizational data.