Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42289

CVE-2026-42289: ChurchCRM Auth Bypass Vulnerability

CVE-2026-42289 is an authentication bypass flaw in ChurchCRM that allows attackers to exploit CSRF vulnerabilities and elevate privileges to administrator level. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-42289 Overview

CVE-2026-42289 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system. The flaw resides in UserEditor.php, which processes user account creation and permission updates entirely through $_POST parameters without validating CSRF tokens. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates a low-privilege user to administrator or creates a new backdoor admin account. The vulnerability affects ChurchCRM versions prior to 7.3.2 and is fixed in release 7.3.2. The weakness maps to [CWE-269: Improper Privilege Management].

Critical Impact

Successful exploitation grants attackers full administrator access to ChurchCRM, exposing congregation data, financial records, and platform configuration.

Affected Products

  • ChurchCRM versions prior to 7.3.2
  • UserEditor.php component handling user account creation
  • UserEditor.php component handling permission updates

Discovery Timeline

  • 2026-05-12 - CVE-2026-42289 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-42289

Vulnerability Analysis

The vulnerability stems from missing CSRF protection in the UserEditor.php endpoint. ChurchCRM accepts user creation and permission modification requests using $_POST parameters without verifying an anti-CSRF token tied to the administrator session. Browsers automatically attach session cookies to cross-origin form submissions, so any authenticated administrator visiting attacker-controlled content unknowingly submits privileged requests. The attack requires user interaction from a victim with administrative rights but no prior authentication or privileges on the attacker side. Impact spans confidentiality, integrity, and availability, since a planted administrator account allows full data access, modification of records, and disruption of the application.

Root Cause

The root cause is the absence of CSRF token validation on state-changing requests handled by UserEditor.php. The script trusts $_POST inputs that govern account creation and role assignment without verifying request origin or a synchronizer token. This design fits the [CWE-269] pattern, where privilege changes are accepted without enforcing the controls required to prevent unauthorized escalation.

Attack Vector

An attacker hosts a malicious HTML page containing a hidden form or JavaScript that auto-submits POST requests to the target ChurchCRM instance's UserEditor.php endpoint. The attacker lures an authenticated administrator to the page through phishing, a watering-hole site, or a malicious link. The victim's browser includes the active ChurchCRM session cookie, causing the application to process the forged request as a legitimate administrative action. The attacker can elevate an existing low-privilege account or insert a new account with full administrator permissions, establishing persistent access.

No verified exploit code is published. See the GitHub Security Advisory for technical details.

Detection Methods for CVE-2026-42289

Indicators of Compromise

  • Unexpected new administrator accounts created in the ChurchCRM user_usr table or visible in the user management interface.
  • Permission changes on existing accounts that do not correspond to documented administrator actions or change tickets.
  • HTTP POST requests to UserEditor.php with Referer headers pointing to external or unknown domains.

Detection Strategies

  • Review web server access logs for POST requests to UserEditor.php and correlate them with authenticated administrator session activity.
  • Audit ChurchCRM user and role tables on a recurring schedule to detect unauthorized account additions or privilege escalations.
  • Inspect HTTP Origin and Referer headers on requests to administrative endpoints and flag mismatches with the application's own hostname.

Monitoring Recommendations

  • Enable application-level audit logging for all user creation and permission change events, including timestamp, source IP, and acting account.
  • Alert on creation of accounts assigned administrative roles outside of approved maintenance windows.
  • Monitor for administrator browser sessions making rapid sequential POST requests to user management endpoints, which can indicate automated CSRF exploitation.

How to Mitigate CVE-2026-42289

Immediate Actions Required

  • Upgrade ChurchCRM to version 7.3.2 or later, which introduces CSRF token validation on UserEditor.php.
  • Audit all existing user accounts and remove any administrator accounts that cannot be tied to a known operator.
  • Force password resets for active administrator accounts and invalidate existing sessions after upgrade.

Patch Information

The vulnerability is fixed in ChurchCRM 7.3.2. Administrators should review the GitHub Security Advisory GHSA-3xq9-c86x-cwpp for upgrade guidance and verify the deployed version after applying the update.

Workarounds

  • Restrict access to the ChurchCRM administrative interface using network controls or a reverse proxy that requires VPN or IP allowlisting.
  • Instruct administrators to use a dedicated browser profile for ChurchCRM and log out immediately after administrative tasks to limit session exposure.
  • Deploy a web application firewall rule that rejects POST requests to UserEditor.php when the Origin or Referer header does not match the application's hostname.
bash
# Example WAF rule (ModSecurity) to block cross-origin POSTs to UserEditor.php
SecRule REQUEST_METHOD "@streq POST" \
    "chain,phase:1,deny,status:403,id:1042289,msg:'CVE-2026-42289 CSRF block'"
SecRule REQUEST_URI "@endsWith /UserEditor.php" "chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://churchcrm.example.org/"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.