CVE-2026-35578 Overview
ChurchCRM, an open-source church management system, contains an open redirect vulnerability (CWE-601) in versions prior to 7.0.0. The vulnerability exists in multiple locations across the application where the linkBack parameter is used without proper validation. An attacker can craft malicious links that, when clicked by an authenticated user pressing the 'Cancel' button, redirect them to arbitrary attacker-controlled URLs. The DonatedItemEditor.php file is one documented example, but all instances of linkBack throughout the application are affected.
Critical Impact
Authenticated users can be redirected to malicious websites through crafted links, potentially leading to credential theft, phishing attacks, or malware distribution.
Affected Products
- ChurchCRM versions prior to 7.0.0
- All ChurchCRM installations with vulnerable linkBack parameter handling
- ChurchCRM components including DonatedItemEditor.php and other pages utilizing the linkBack functionality
Discovery Timeline
- 2026-04-07 - CVE-2026-35578 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35578
Vulnerability Analysis
This open redirect vulnerability (CWE-601) occurs due to improper validation of the linkBack parameter across multiple ChurchCRM application pages. The application accepts user-controlled redirect URLs without adequate sanitization, allowing attackers to construct links that redirect authenticated users to external malicious domains. When users interact with the 'Cancel' button on affected pages, they are redirected to whatever URL was supplied in the linkBack parameter, bypassing any expected internal navigation flow.
The vulnerability requires the attacker to craft a malicious URL containing an external redirect destination and convince an authenticated ChurchCRM user to click the link. Once the victim visits the crafted page and clicks 'Cancel', they are unknowingly redirected to the attacker's chosen destination.
Root Cause
The root cause is insufficient input validation on the linkBack parameter. The application fails to verify that the redirect URL is a relative path or belongs to an allowed whitelist of trusted domains. This allows external URLs to be passed through the parameter unchecked, enabling open redirect attacks.
Attack Vector
The attack vector is network-based and requires an authenticated user to click a malicious link. An attacker crafts a URL pointing to a legitimate ChurchCRM page but includes a manipulated linkBack parameter containing an external malicious URL. When the victim clicks the 'Cancel' button, the application processes the unvalidated linkBack value and redirects the user to the attacker-controlled site.
This vulnerability can be used as part of a phishing campaign where the attacker sends links that appear to point to the legitimate ChurchCRM domain but ultimately redirect users to credential harvesting pages or malware distribution sites.
Detection Methods for CVE-2026-35578
Indicators of Compromise
- HTTP requests to ChurchCRM pages containing linkBack parameters with external URLs or unusual domains
- User complaints or reports of unexpected redirects after clicking 'Cancel' buttons
- Server logs showing requests with linkBack values pointing to non-application URLs
Detection Strategies
- Monitor web server access logs for requests containing linkBack parameters with external domain values
- Implement web application firewall (WAF) rules to detect and block open redirect patterns in URL parameters
- Review browser history and proxy logs for redirections from ChurchCRM pages to unexpected external domains
Monitoring Recommendations
- Enable detailed access logging for the ChurchCRM application to capture full request URLs including query parameters
- Configure alerting for suspicious linkBack parameter values that contain external domain references
- Implement user behavior analytics to detect unusual navigation patterns indicative of phishing attempts
How to Mitigate CVE-2026-35578
Immediate Actions Required
- Upgrade ChurchCRM to version 7.0.0 or later immediately
- Review server logs for any evidence of exploitation attempts using malicious linkBack parameters
- Educate users about the risks of clicking links in unsolicited emails or messages that redirect through ChurchCRM
Patch Information
The vulnerability has been fixed in ChurchCRM version 7.0.0. Organizations running earlier versions should upgrade to the patched release as soon as possible. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, consider implementing a web application firewall rule to block requests with external URLs in the linkBack parameter
- Temporarily restrict access to ChurchCRM to trusted internal networks only
- Manually patch affected files by adding URL validation to ensure linkBack values only contain relative paths or approved internal domains
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
