CVE-2026-42289 Overview
CVE-2026-42289 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system. The flaw resides in UserEditor.php, which processes user account creation and permission updates entirely through $_POST parameters without validating CSRF tokens. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates a low-privilege user to administrator or creates a new backdoor admin account. The vulnerability affects ChurchCRM versions prior to 7.3.2 and is fixed in release 7.3.2. The weakness maps to [CWE-269: Improper Privilege Management].
Critical Impact
Successful exploitation grants attackers full administrator access to ChurchCRM, exposing congregation data, financial records, and platform configuration.
Affected Products
- ChurchCRM versions prior to 7.3.2
- UserEditor.php component handling user account creation
- UserEditor.php component handling permission updates
Discovery Timeline
- 2026-05-12 - CVE-2026-42289 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42289
Vulnerability Analysis
The vulnerability stems from missing CSRF protection in the UserEditor.php endpoint. ChurchCRM accepts user creation and permission modification requests using $_POST parameters without verifying an anti-CSRF token tied to the administrator session. Browsers automatically attach session cookies to cross-origin form submissions, so any authenticated administrator visiting attacker-controlled content unknowingly submits privileged requests. The attack requires user interaction from a victim with administrative rights but no prior authentication or privileges on the attacker side. Impact spans confidentiality, integrity, and availability, since a planted administrator account allows full data access, modification of records, and disruption of the application.
Root Cause
The root cause is the absence of CSRF token validation on state-changing requests handled by UserEditor.php. The script trusts $_POST inputs that govern account creation and role assignment without verifying request origin or a synchronizer token. This design fits the [CWE-269] pattern, where privilege changes are accepted without enforcing the controls required to prevent unauthorized escalation.
Attack Vector
An attacker hosts a malicious HTML page containing a hidden form or JavaScript that auto-submits POST requests to the target ChurchCRM instance's UserEditor.php endpoint. The attacker lures an authenticated administrator to the page through phishing, a watering-hole site, or a malicious link. The victim's browser includes the active ChurchCRM session cookie, causing the application to process the forged request as a legitimate administrative action. The attacker can elevate an existing low-privilege account or insert a new account with full administrator permissions, establishing persistent access.
No verified exploit code is published. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-42289
Indicators of Compromise
- Unexpected new administrator accounts created in the ChurchCRM user_usr table or visible in the user management interface.
- Permission changes on existing accounts that do not correspond to documented administrator actions or change tickets.
- HTTP POST requests to UserEditor.php with Referer headers pointing to external or unknown domains.
Detection Strategies
- Review web server access logs for POST requests to UserEditor.php and correlate them with authenticated administrator session activity.
- Audit ChurchCRM user and role tables on a recurring schedule to detect unauthorized account additions or privilege escalations.
- Inspect HTTP Origin and Referer headers on requests to administrative endpoints and flag mismatches with the application's own hostname.
Monitoring Recommendations
- Enable application-level audit logging for all user creation and permission change events, including timestamp, source IP, and acting account.
- Alert on creation of accounts assigned administrative roles outside of approved maintenance windows.
- Monitor for administrator browser sessions making rapid sequential POST requests to user management endpoints, which can indicate automated CSRF exploitation.
How to Mitigate CVE-2026-42289
Immediate Actions Required
- Upgrade ChurchCRM to version 7.3.2 or later, which introduces CSRF token validation on UserEditor.php.
- Audit all existing user accounts and remove any administrator accounts that cannot be tied to a known operator.
- Force password resets for active administrator accounts and invalidate existing sessions after upgrade.
Patch Information
The vulnerability is fixed in ChurchCRM 7.3.2. Administrators should review the GitHub Security Advisory GHSA-3xq9-c86x-cwpp for upgrade guidance and verify the deployed version after applying the update.
Workarounds
- Restrict access to the ChurchCRM administrative interface using network controls or a reverse proxy that requires VPN or IP allowlisting.
- Instruct administrators to use a dedicated browser profile for ChurchCRM and log out immediately after administrative tasks to limit session exposure.
- Deploy a web application firewall rule that rejects POST requests to UserEditor.php when the Origin or Referer header does not match the application's hostname.
# Example WAF rule (ModSecurity) to block cross-origin POSTs to UserEditor.php
SecRule REQUEST_METHOD "@streq POST" \
"chain,phase:1,deny,status:403,id:1042289,msg:'CVE-2026-42289 CSRF block'"
SecRule REQUEST_URI "@endsWith /UserEditor.php" "chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://churchcrm.example.org/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
