CVE-2026-42288 Overview
CVE-2026-42288 is a pre-authentication remote code execution vulnerability in ChurchCRM, an open-source church management system. The flaw exists in the application's setup wizard, where the DB_PASSWORD parameter is processed without proper sanitization. Attackers can inject and execute arbitrary code on the underlying server without authentication.
This vulnerability is an incomplete-fix issue stemming from CVE-2026-39337. The original patch did not fully remediate the injection path, leaving the setup wizard exploitable. ChurchCRM versions prior to 7.3.2 are affected, and the issue is fixed in release 7.3.2. The flaw is classified as Code Injection [CWE-94].
Critical Impact
Unauthenticated attackers can execute arbitrary code on ChurchCRM servers via the setup wizard, leading to full system compromise.
Affected Products
- ChurchCRM versions prior to 7.3.2
- ChurchCRM setup wizard component
- Deployments where the prior CVE-2026-39337 patch was applied but remains incomplete
Discovery Timeline
- 2026-05-12 - CVE-2026-42288 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42288
Vulnerability Analysis
The vulnerability resides in ChurchCRM's setup wizard, which is reachable before authentication is established. The wizard accepts a DB_PASSWORD value supplied by the requester and incorporates it into generated configuration or code without adequate sanitization. Attacker-controlled content is interpreted as executable code by the PHP runtime.
Because the setup wizard is exposed during initial deployment and remains reachable in misconfigured installations, network-based attackers can reach the vulnerable endpoint without credentials. Successful exploitation yields code execution under the privileges of the web server process.
This issue is a continuation of CVE-2026-39337. The earlier remediation filtered some injection vectors but did not eliminate the underlying unsafe handling of DB_PASSWORD. The scope change indicates that compromise of the web application impacts components beyond the application boundary.
Root Cause
The root cause is improper neutralization of user-supplied input used in code generation [CWE-94]. The DB_PASSWORD value is written into a configuration artifact that is later evaluated. Special characters in the password field break out of the intended string context and inject PHP code. The incomplete prior fix did not enforce strict character allowlisting or safe serialization of the value.
Attack Vector
An unauthenticated remote attacker sends a crafted request to the setup wizard endpoint with a malicious DB_PASSWORD payload. The injected payload escapes the password string literal in the resulting configuration file and is executed when the file is included by the application. No user interaction is required. The vulnerability mechanism is documented in the ChurchCRM GitHub Security Advisory.
Detection Methods for CVE-2026-42288
Indicators of Compromise
- Unexpected HTTP POST requests to ChurchCRM setup wizard endpoints after initial installation
- Modifications to ChurchCRM configuration files containing PHP syntax inside database credential fields
- Web server processes spawning shell interpreters such as sh, bash, or php executing outbound network commands
- New or modified files in the ChurchCRM web root with recent timestamps not matching deployment activity
Detection Strategies
- Monitor web server access logs for requests reaching the setup wizard on production systems where setup should be disabled
- Inspect ChurchCRM configuration files for non-printable characters or PHP tags within DB_PASSWORD storage
- Correlate web server child processes against a baseline of expected PHP execution behavior
Monitoring Recommendations
- Alert on any access to setup wizard URIs from external IP ranges
- Track integrity of the ChurchCRM application directory using file integrity monitoring
- Capture outbound connections initiated by the web server user to identify post-exploitation callbacks
How to Mitigate CVE-2026-42288
Immediate Actions Required
- Upgrade ChurchCRM to version 7.3.2 immediately on all instances
- Restrict network access to ChurchCRM setup wizard endpoints from untrusted networks
- Audit existing ChurchCRM installations for signs of prior exploitation against CVE-2026-39337 or CVE-2026-42288
- Rotate database credentials and any secrets stored on compromised hosts
Patch Information
ChurchCRM 7.3.2 contains the complete fix for the unsanitized DB_PASSWORD injection path. Administrators must upgrade from any version prior to 7.3.2, including versions that received only the incomplete CVE-2026-39337 patch. Patch details are available in the ChurchCRM GitHub Security Advisory GHSA-mp2w-4q3r-ppx7.
Workarounds
- Disable or remove the setup wizard files after initial installation is complete
- Place ChurchCRM behind a web application firewall with rules blocking PHP metacharacters in setup parameters
- Restrict access to the application using network-layer controls until the upgrade is applied
# Configuration example: restrict setup wizard access via Apache
<Location "/setup">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
