CVE-2026-44547
ChurchCRM · ChurchCRM
ChurchCRM versions 7.2.0 to 7.2.2 contain an incomplete authentication fix, leaving the application vulnerable to unauthorized access due to a missing critical security check.
Executive summary
An incomplete authentication patch in ChurchCRM 7.2.x allows unauthenticated attackers to bypass security controls and gain unauthorized access to the application.
Vulnerability
The vulnerability stems from a missing critical authentication step that was inadvertently removed from the codebase during a merge process. This allows unauthenticated users to bypass security measures and interact with sensitive API functions.
Business impact
With a CVSS score of 9.6, this flaw represents a major security risk, potentially allowing unauthorized access to sensitive member databases and administrative functions. Successful exploitation could lead to data breaches, unauthorized data modification, and complete loss of application integrity.
Remediation
Immediate Action: Upgrade to ChurchCRM version 7.3.1 or later to ensure the authentication hardening is properly implemented.
Proactive Monitoring: Review application access logs for suspicious API requests originating from unauthorized or unknown IP addresses.
Compensating Controls: Implement strict network-level access controls (VPN or IP allowlisting) to restrict access to the CRM interface until the software is updated.
Exploitation status
Public Exploit Available: true
Analyst recommendation
Administrators should move immediately to update ChurchCRM to version 7.3.1. The presence of a public exploit significantly increases the risk of successful exploitation, making prompt remediation essential to preventing unauthorized access to sensitive organizational data.