CVE-2026-39940 Overview
CVE-2026-39940 is an Open Redirect vulnerability (CWE-601) affecting ChurchCRM, an open-source church management system. Prior to version 7.0.0, multiple locations within the ChurchCRM application were susceptible to URL redirection attacks through the linkBack parameter. When an authenticated user visits a maliciously crafted link and clicks the 'Cancel' button on the page, they would be redirected to an arbitrary URL controlled by the attacker.
Critical Impact
Authenticated users can be redirected to malicious websites, potentially leading to phishing attacks, credential theft, or malware distribution. The vulnerability affects multiple endpoints across the application wherever the linkBack parameter is used.
Affected Products
- ChurchCRM versions prior to 7.0.0
- ChurchCRM DonatedItemEditor.php and other pages utilizing linkBack parameter
- All ChurchCRM installations with authenticated user access
Discovery Timeline
- April 13, 2026 - CVE-2026-39940 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39940
Vulnerability Analysis
This vulnerability falls under CWE-601 (URL Redirection to Untrusted Site), commonly known as an Open Redirect vulnerability. The core issue lies in the application's failure to properly validate or sanitize the linkBack parameter before using it for page redirections. When users interact with certain UI elements, particularly the 'Cancel' button, the application redirects them to the URL specified in the linkBack parameter without verifying that the destination is a trusted domain.
The vulnerability is network-accessible and requires low privileges (an authenticated user session). While the direct impact on confidentiality, integrity, and availability of the vulnerable system itself is limited, the cross-system impact enables attackers to leverage the trusted ChurchCRM domain for social engineering attacks.
Root Cause
The root cause is improper input validation of the linkBack parameter across multiple PHP files in the ChurchCRM application. The DonatedItemEditor.php file serves as one example, but the vulnerability pattern exists wherever the linkBack parameter is processed. The application trusts user-supplied URL values without implementing proper validation to ensure redirects only occur to legitimate, trusted destinations within the application's domain.
Attack Vector
The attack is network-based and requires an authenticated user to be tricked into visiting a specially crafted URL. The attacker constructs a link to a legitimate ChurchCRM page but injects a malicious URL into the linkBack parameter. When the victim, who is already authenticated to ChurchCRM, clicks this link and then presses the 'Cancel' button, they are redirected to the attacker-controlled site.
This attack vector is particularly effective for phishing campaigns because the initial link appears to point to a legitimate ChurchCRM installation, making it more likely that users will trust it. The malicious destination could host a fake login page designed to harvest credentials or serve malware.
Detection Methods for CVE-2026-39940
Indicators of Compromise
- Review web server access logs for URLs containing linkBack parameters with external domain values
- Monitor for unusual patterns of access to DonatedItemEditor.php or similar pages with encoded or suspicious linkBack values
- Check for user-reported phishing incidents that originated from links appearing to point to the ChurchCRM installation
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing linkBack parameters with external URLs
- Configure URL filtering or monitoring to flag requests where linkBack contains domains not matching the ChurchCRM installation's domain
- Deploy behavioral analysis to identify users being redirected to unusual external destinations after visiting ChurchCRM pages
Monitoring Recommendations
- Enable detailed logging of all HTTP requests to ChurchCRM, specifically capturing query string parameters
- Set up alerts for access log entries where linkBack parameter values contain http:// or https:// pointing to external domains
- Monitor network traffic for unexpected outbound connections immediately following authenticated ChurchCRM sessions
How to Mitigate CVE-2026-39940
Immediate Actions Required
- Upgrade ChurchCRM to version 7.0.0 or later immediately to address this vulnerability
- Review access logs to determine if this vulnerability has been exploited in your environment
- Notify users about potential phishing attempts that may leverage links to your ChurchCRM installation
- Consider implementing additional URL validation at the web server or WAF level as defense-in-depth
Patch Information
This vulnerability is fixed in ChurchCRM version 7.0.0. Organizations should upgrade to this version or later to remediate the issue. Additional details about the security fix can be found in the GitHub Security Advisory GHSA-5g52-rvjf-6wwf and the related GitHub Security Advisory GHSA-v3hj-33xf-qx47.
Workarounds
- Deploy a web application firewall (WAF) rule to validate linkBack parameters and block requests containing external URLs
- Implement server-side URL validation using allowlist-based redirect validation for all linkBack parameter values
- Consider temporarily disabling or restricting access to affected pages (such as DonatedItemEditor.php) until the upgrade can be completed
# Example Apache mod_rewrite rule to block external redirects in linkBack parameter
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} linkBack=https?:// [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
