CVE-2026-44547 Overview
CVE-2026-44547 affects ChurchCRM, an open-source church management system. The vulnerability exists in versions 7.2.0 through 7.2.2 and stems from an incomplete fix for CVE-2026-4058. A hardening commit targeting src/api/routes/public/public-user.php was merged but later stripped by an unrelated pull request before any 7.2.x tag was released. Every shipped 7.2.x release therefore remains exploitable using the proof-of-concept published with the original advisory. The flaw is categorized as Improper Authentication [CWE-287]. ChurchCRM has resolved the issue in version 7.3.1.
Critical Impact
Authenticated network attackers can exploit the authentication weakness in the public user API to compromise confidentiality and integrity of ChurchCRM instances.
Affected Products
- ChurchCRM 7.2.0
- ChurchCRM 7.2.1
- ChurchCRM 7.2.2
Discovery Timeline
- 2026-05-12 - CVE-2026-44547 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44547
Vulnerability Analysis
The vulnerability resides in src/api/routes/public/public-user.php, a public API route handler in ChurchCRM. The original advisory CVE-2026-4058 identified an authentication weakness in this file. Maintainers merged a hardening commit to address it. However, an unrelated pull request later removed those changes before the 7.2.x branch was tagged. The result is that every 7.2.x release shipped without the security fix in place. Attackers can exploit the regression using the same proof-of-concept published for CVE-2026-4058. Successful exploitation impacts confidentiality and integrity, with a scope change indicating effects beyond the vulnerable component.
Root Cause
The root cause is a regression introduced through inadequate change control. The hardening commit was silently reverted by an unrelated merge, bypassing the intended authentication check in the public user endpoint. The underlying weakness is classified as Improper Authentication [CWE-287], allowing attackers to bypass identity verification on the affected API route.
Attack Vector
The vulnerability is exploitable over the network with low attack complexity and requires low privileges. No user interaction is needed. An attacker reaches the affected endpoint by sending crafted HTTP requests to the public user API route. Refer to the GitHub Security Advisory GHSA-cwp8-rm8g-q5c9 and the corresponding GitHub Pull Request #8855 for the technical proof-of-concept and remediation details.
Detection Methods for CVE-2026-44547
Indicators of Compromise
- Unexpected HTTP requests to /api/public/public-user.php or related public user API endpoints.
- New or modified administrative accounts in the ChurchCRM User table without corresponding audit log entries.
- Successful authentication events from unfamiliar source IP addresses targeting the public API.
Detection Strategies
- Review web server access logs for anomalous POST or PUT requests targeting public user routes.
- Compare deployed ChurchCRM source against the upstream 7.3.1 release to identify the missing hardening logic in public-user.php.
- Correlate API access patterns with the published proof-of-concept linked in the GitHub Security Advisory GHSA-cwp8-rm8g-q5c9.
Monitoring Recommendations
- Enable verbose logging on the ChurchCRM application and web server hosting the instance.
- Alert on creation or privilege changes for ChurchCRM user accounts outside normal administrative workflows.
- Monitor outbound database queries originating from the public API handler for anomalous user record modifications.
How to Mitigate CVE-2026-44547
Immediate Actions Required
- Upgrade ChurchCRM to version 7.3.1, which contains the complete authentication fix.
- Audit all existing user accounts and revoke any unauthorized credentials created during the exposure window.
- Restrict network access to ChurchCRM administrative and API endpoints using firewall rules or reverse proxy controls.
Patch Information
The vulnerability is fixed in ChurchCRM 7.3.1. The upstream remediation is tracked in GitHub Pull Request #8855 and documented in GitHub Security Advisory GHSA-cwp8-rm8g-q5c9. Administrators should follow the official upgrade procedure and verify that src/api/routes/public/public-user.php contains the hardened authentication checks after deployment.
Workarounds
- Place the ChurchCRM instance behind an authenticating reverse proxy that blocks unauthenticated access to public API routes.
- Temporarily disable or restrict access to src/api/routes/public/public-user.php at the web server layer until the upgrade is applied.
- Rotate credentials and session tokens for all ChurchCRM users after applying mitigations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
